Possible New Virus, Need Help Identifying It

[arokh]

I've got two computers here that seem to have a virus, but when I virus scan it with the newest definitions, nothing turns up.

Situation 1: Computer comes in with these symptoms, can't find the solution so I restore it with restore CD's. Works great. Customer brings it home, 2 days later comes back with the exact same problem.

Situation 2: A different customer with a different computer comes in with the exact same problem, thus prompting me to post this. It's getting a bit much to be coincidence.

Symptoms: Video is wrong, like the drivers aren't installed (low color, low res). And the mouse doesn't work. If you boot into safe mode, the mouse works, but obviously the video won't show normal in safe mode. When I run a virus scan in safe mode, it doesn't find any viruses, but gives read only errors on thousands of html/gif/xml files. Running a full wipe and reload will fix it, but I'm wondering if theres an easier way.

There doesn't seem to be anything unusual in msconfig or system or win.ini files. The strange fact, and maybe this is doing it, maybe not, is both computers have kazaa on them. The first computer had kazaa on it the first time, and I restored it (thus removing it in the process), when it came back in it had kazaa on it again.

I realize it's probably going to need to be wiped and reloaded, but I would like to have some information to give to the customers about -what- happened.

Thanks Much,

/|rokh

[Archer]

Hmmmm........Lots of bad files on Kazaa could be anything really,a bit hard to diagnose.
Do the systems have anything in common apart from this that may be getting corrupted or ask them not to use Kazaa for two weeks to see if it reoccours?
Perhaps with the owners permission you could install a piece of logging software and see if it gives you any clues.

[Wayward Clam]

What antivirus program are you using? Sometimes people have better luck switching to a different brand; I have heard stories of viruses slipping past one scanner and being caught by another.

Another obvious thing to check for is spyware using AdAware or Spybot. Be warned, the latest versions of Kazaa will not function if you remove their spyware... but if that's the problem, you will at least be able to blame the luser instead of the machine or yourself...

[arokh]

Ok, I did a virus scan on PC #2, and this one actually identifies a few interesting things. First of all it sees REGSEEKER or something, I'm not worried about it, I think I can fix it

The second thing it found was 39 infected files with something called [097M_TRISTATE]. What is that? A google search turns up nothing.

Thanks

/|rokh

EDIT - Nevermind, I found the info on this tristate virus. Goes back 3 or so years, I doubt thats the new virus on the horizon answer that I'm looking for. Must keep searching...

[Archer]

Just a thought they`ve not both used MS auto update by any chance have they its terrible at getting the correct hardware drivers ?

[arokh]

Add PC #3 to this problem. This is getting crazy, I can picture the feds showing up in the PC equivalent of bio-epidemic suits. Something is going on here, and none of the virus companies seem to have picked up on it yet.

This one is running WinXP, and for some reason it isn't affected by the mouse/video problems, but it comes up with the same errors when running a virus scan. This one does not have kazaa on it, so I don't think it's that now.

/me scratches head

/|rokh

[MacGyver]

Send one of the infected files to Symantec for analysis.

[geeksRus]

check THIS page for info on this.

[geoscomp]

There is a bit of freeware out there for download called regseeker..if thats what you are finding..it's a system tool that supposedly scans and finds registry entries..but it has some problems with autoclean functions, and can identify windows system fiiles as problem registry entries from time to time..if this is what you arfe finding, sounds like the users are maybe causing their own problems?