locked
New virus infection? RRS feed

  • Question

  • Okay, here's what's what:

    Three days ago I got infected with a virus. I had Norton AV 2007 up-to-day virus updated and everything, but it still got through. It hit hard: Windows Updates and Task Manager were unable to start and system performance and stability really got hit. I don't know how I got infected, but it could have been a program/activeX control etc from the Internet as someone else was using the computer at the time, too, and I didn't really know what pages were visited, what got installed etc. Needless to say, Windows updates were all up-to-date, too. I figured I should try to disinfect the PC somehow and I ran Panda ActiveScan and Kaspersky Online scan and even NOD32 online scan, alongside Norton AV scan from my PC and Panda reported some cookies, Kaspersky I think found a virus file and NOD32 and Norton got nothing. Not being able to disinfect I just formated my partitions and installed Vista fresh. The thing is, I don't know exactly when it happend, but after I downloaded SP1 and installed Messenger and other small apps, like NetLimiter and Billeo, Windows Update got disabled in the process somehow. I tried all the methods that I've written about here ( http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3376301&SiteID=17&mode=1 ) and still nothing. This morning I tried this:


    I ran msconfig and looked at the startup programs. I found and disabled the following:


    98d8e608 - Unknown - Rundll32.exe "..." - HKLM\...
    BM9bebd594 - Unknown - Rundll32.exe "..." - HKLM\...
    MSServer - Unknown - Rundll32.exe ... - HKLM\...
    Language Application - Unknown - [Path to CyberLink PowerDVD, but I disabled it to be sure] - HKLM\...

    And just to be really sure I disabled some more processes that I thought were not critical, like Symantec or Creative or HP or NVidia. I also checked under Services and (after I hid all Microsoft services) and I disabled some, just to be sure:

    FLEXnet Licensing Service - Macrovision... - [Don't know exactly what it is]
    Adobe Active File Monitor V6 - Unknown - [I presume if it were from Adobe it wouldn't have written Unknown under Manufacturer]
    Symantec Core LC - Unknown [Again, some apps under Manufacturer had Symantec Corporation, this one had Unknown and I disabled it]

    And some others that I thought were not critical and could do without, just to be sure and in case they got infected.
    One important note: if you try and remove the some startup items while running in Windows Normal Mode they just get enabled again, jsut run msconfig again and you'll see they get enabled instantly. So in order for this not to happen I started Windows in Safe Mode and done all of the above.

    After I done the above in Safe Mode I started Windows normally. I went to Administrative Tools, Services, checked that BITS is running (it was running), Windows Modules Installer is running (was not running) and then enabled Windows Update service (it was disabled and stopped) and started it. Then I could establish a connection to Windows Update, it worked.

    Some interesting things I found along the way: if you execute Windows Internet Explorer, the startup baddies will be enabled. Also, sometimes I get a fake warning for installing I-don't-know-what program or plug-in for spyware and malware detection etc. So clearly there's a new virus in town that makes all these bad things. Also note: I have the windows taskbar in autohide mode and since I got infected (before reinstalling Windows and just after Windows Update got disabled) the bar just keeps popping up from time to time and then goes back just as fast, but it's really annoying.

    In order to browse the Internet I installed FireFox and the baddies don't get enabled or new entries into the startup tab from msconfig. Note that the above names, like BM9bebd594 might be random and different on another machine.

    After all this I scanned my PC again, this time with Norton AV 2008 (I do have NIS 2008 and the firewall sometimes displays an info that Download or Downloader program was stoped downloading certain files to my computer) and again with Panda, but nothing was found.

    Does anyone have any idea about what kind of virus this is and how can and with what AV solution one can get rid of it? Thanks a lot!
    Wednesday, May 21, 2008 7:35 AM

All replies

  •  

    I ran into a problem with Norton 360 that sounds simular to this one.  It would constantly tell me that it had blocked an unknow file from running, but when i would run a full system scan, nothing would show up.  Finally I got rid of 360 and started using Trend Micro Internet Security Pro 2007.  Needless to say, I will not be going back to Norton.  Right after uninstalling Norton 360, I installed the Trend Micro program and ran its first scan.  The Trend Micro found about 7 known viruses that Norton 360 had let through.  Since switching from Norton 360, I haven't had any problems with the way my computer has been running.

     

    Hope this post has helped

    Monday, May 26, 2008 8:03 PM
  • There are more informations about this problem here:

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3404142&SiteID=17&mode=1

     

    In tried "Trend Micro Internet Security Pro 2007"'s on-line scan and it found something, but did not clean the main virus, which, by the way, reactivated itself when I installed Java Run Time Environment. So had to redo all that I posted before in order to deactivate the virus and deactivate Java in FireFox.
    Tuesday, May 27, 2008 7:43 AM