virus in my registry kills me after i format
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 22

Thread: virus in my registry kills me after i format

  1. #1
    Registered User
    Join Date
    May 2004
    Posts
    3

    virus in my registry kills me after i format

    ok im sorry i dont usually post on boards because im very very good with computers. the virus i have right now stuns me because its far too advanced and the virus that it matches up with is a simply removed virus. However, ive tried every virus scan known to man, hijack this, registry programs, adaware, you name it i have had it on this computer and NOTHING works. let me first introduce you to the virus. I have formatted about 10 times this week, i have about 6-8 hours before a complete takeover. The virus does not require an internet connection for a takeover, it does things on its own by creating a fake administration guest account and giving that account powers over me and my computer. The way the virus takes over has differed every time have reinstalled, and mind you its two different drives that ive totally wiped clean. now as for the exact virus im not sure how to locate it, my process tree is normal right now and always is. However i cant delete folders such as netmeeting because they are "in use". The virus itself starts somewhere in bios and im pretty sure its hkey_local_machine\system\currentcontrolset002
    the virus then starts to log my documents and settings everywhere, my system restore is turned off but still remains active, so is the folder /recycler, where files that i delete which can me deleted by me which the virus uses are sent but once i delete for good they are restored and not actually deleted. ive also noticed an extension for files which addon to the regular exe msmsgs.exe.manifest for example. im not familiar with this but it wont hurt to add it in here. the funny thing is that i have no way of actually finding the virus because it only adds startup commands to the normal exe. my system.ini at one point was shell loading the explorer.exe target load.exe but as of this virus attempt it hasnt. i come here to inform and hopefully find a cure. By reading my computer logs i have found that it appears that my computer is totally normal with all the same files theres no fake exe running around called virus.exe but there is another user who isint even real logged into my computer taking over. Once again i remind you if youre gonna refer me to going to user accounts or networks connections or my control panel for help ive already tried it. my real only resort is to type my entire system. or to find it in bios and wipe it from there. the bios settings i noticed which is irregular is the "lanman" workstation, and many other folders, seems suspicious. the virus i noticed ended up on my computer about a month ago and then slowly began to take over by an internet user within the .net meeting folder as i noticed logs of his attempt to get through to my computer. ive read over almost every ini/log/txt/etc file on this computer and watched on how the virus uses simple microsoft technology to open my computers vunerabilities. and i note again that i have totally updated my system as it does no help its useless. if you need any more details please post here or email me since i have to reformat about every 8 hours. if you have any suggestions let me know please. right now im going to look for a log document of what it has done, ill let you know, but i dont have much time. its great when you sitting there talking to your friends on aim and about to go into your c drive when you just see it totally disappear =) you type c:\ into explorer by bar "drive does not exist" but youre still on aim haha.

  2. #2
    Registered User shamus's Avatar
    Join Date
    Apr 2001
    Location
    Cornish,Maine,USA
    Posts
    3,140
    Sounds like a boot sector virus....from the command prompt type fdisk /mbr

  3. #3
    Banned Ya_know's Avatar
    Join Date
    Jun 2001
    Posts
    10,692
    You didn't say what OS...

    Also, you say that you aren't connected to the Internet, and this thing takes over within 8 hours, how are you getting your MS updates?

    The activity sounds bad, but I can't imagine a boot sector virus doing all this, so I have to assume that in some of the software or updates you have installed you may have an infection there that you are unaware of, could be on CD or floppy, you are reapplying it each time…just a guess.

    You say you've used several virus scanners, which ones?

    I don't know what to tell you...I've heard stories about BIOS infections too, never seen one. But as with the boot sector virus, I just don't see these type of infections creating users, and doing what you have described...so it has to be somewhere.

    It’s too bad you can’t identify the virus/hijacker. I wish I could be more help.

  4. #4
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    OK so if you have formatted a few times, did you every zero fill the driver (low level it).

    Total paranoia requires the following
    Unplug the network and/or dialup cables
    Do 7 passes with a zero fill utility
    remove ram and video card from motherboard and leave out for a few mins. Unhook all drives and disconnect them from the psu.

    While the ram is discharging every last millivolt, remove the motherboard battery and set the bios reset jumper for at least 10 seconds... all power to the system removed.

    Replace ram and video card and floppy drive boot immediately to bios with a known clean floppy, flash the bios including the bootblock. Reconnect 1 hard drive, run the zerofiller again.

    In a known good system with uptodate antivirus, check every cdrom/cdrw and floppy you will use on the now virgin system.

    Boot from cdrom with an original windows cdrom and load the os. On another system, download the the msupdates using the windows catalogue method - paying special attention to getting msblast, nimda and sasser worm updates first.

    When you are satisfied you have loaded your machine and got antivirus uptodate along with spybot immunisation and all the necessary windows updates, install a firewall such as kerio and have it on request permission for everything.

    Reconnect to the network and internet and watch for attacks on the firewall.

    BTW what user name is being created?
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  5. #5
    Registered User
    Join Date
    May 2004
    Posts
    3
    wow i replied then something went wrong so ill type it all up again, took me about 20 minutes hahah

    first things first, ive created new mbr's doesnt do anything i havent tried to fdisk though

    windows xp pro 32

    as for the virus scanners theres alot to list
    trendmicro online scan
    mcafree scan
    panda
    sophos
    avg antivirus
    bitdefender
    norton
    kaspersky
    etrust ez

    i think i might be missing a few too

    noonoo your method sounds really hard =/ im trying just to find the area of registry i need to delete or just to identify the virus in general
    the list of users are as follows...

    Administrator (me)
    Administrators (who currently has control of my computer c:\ sharing etc)
    anonymous logon
    authenticated users
    backup operators
    batch
    creator group
    creator pwner
    dialup
    everyone
    guest
    guests
    helpassistant
    helpservicesgroup
    interactive
    local service
    network
    network configuration operators
    network service
    power users
    remote desktop users
    remote interactive logon
    replicator (??? whats this)
    service
    support_388945a0
    system
    terminal service user
    users

    any ideas will help =)

    i tried to post a pic of some stuff i took but it gave me the error

    The file that you have tried to attach is too big. The maximum size for this filetype is 1 bytes. Your file is 280909 bytes.

    and its a jpg file.

  6. #6
    Registered User geoscomp's Avatar
    Join Date
    Apr 2002
    Location
    Minnesota
    Posts
    2,340
    "the virus i have right now stuns me because its far too advanced and the virus that it matches up with is a simply removed virus."


    What virus does it match up with? Do you have any names at all?
    Computer Rescue Service

    "those who do not remember history are condemned to repeat it."

  7. #7
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Are you confusing security groups with users?

    Why have you got anonymous login user active?

    Have you tried simply disabling these excess users?

    You need just adminstrator (system) and your user name (which has admin rights). Kill the rest.

    Still don't know what windows we are dealing with, although I suspect we are looking at 2k3 server the trial version.

    You cannot attach files, you have to link via your own webspace..
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  8. #8
    Registered User
    Join Date
    May 2004
    Posts
    3
    Quote Originally Posted by NooNoo
    Are you confusing security groups with users?

    Why have you got anonymous login user active?

    Have you tried simply disabling these excess users?

    You need just adminstrator (system) and your user name (which has admin rights). Kill the rest.

    Still don't know what windows we are dealing with, although I suspect we are looking at 2k3 server the trial version.

    You cannot attach files, you have to link via your own webspace..

    well care to explain how to do that. i go to user groups in control panel and its me and a guest account which is turned off. the virus tells my computer its a part of the workstation and it accesses my files. the only users there should be and that i have set up are me, if i delete anything whether it be file registry or anything the virus restores it and in turn ****S me over, just now i tried to revoke their user privledges to the my c:\ and it said error cannot give you access to c:\program files and c:\windows right after this error occured i lost all power to open files but i could just browse my compute freely without being able to open anything because i lacked access. just now after i restored i notice there was a system restore point already set so i deleted everything in there. also, before i had to reformat i noticed a hidden file, c:\recycled\(then some long *** string name like c021-1501-151) which had the recycler icon. so i deleted files and i saw them in this folder. before i formatted i saw 2 files i hadnt even deleted, one called dc23.exe (no icon) and one called info2 (no extension) as i surf the internet right now im not sure if im infected yet but there is a system restore directory in my c:\ (system restore is desabled) and is logging everything i delete and move in a change.log i also noticed it created a manifest exntension of the exes that ive executed, for example c:\program files\internet explorer\iexplorer.exe.manifest or whatever, another thing, the file matches in some cases the nimda and mydoom viruses but ive done full scans for those and it shows as nothing. i dont even have the option to disable system restore right now, there is no tab for it.

  9. #9
    Registered User Naxr's Avatar
    Join Date
    Jun 2004
    Location
    Boston
    Posts
    23
    No offense, but this sounds highly suspect to me. I've never come across a virus that will survive a proper format, unless it's bios/mbr. You say you keep reformatting, so why does it come back? You're not going to fix it, unless you take Noo-noo's advice. An hour extra to save "formatting" every 8 hours.

    Wiping the hard-drive properly should fix it, but it's not, so check the disks you're using to reinstall. You've not said whether you've checked those yet.
    "Never turn your back on a friend."

  10. #10
    Banned TripleRLtd's Avatar
    Join Date
    Aug 2003
    Location
    SW Florida...eye of the storm.
    Posts
    7,251
    Sounds suspect to me, too. I just got another headache reading what xacebot said. But hey, considering it's a month old, he either fixed it or was abducted by it.
    Welcome to WD Naxr.

  11. #11
    Registered User Tekboy's Avatar
    Join Date
    Oct 2003
    Location
    Florida
    Posts
    1,492
    "ok im sorry i dont usually post on boards because im very very good with computers."

    I always love to hear this one. And I have NEVER seen a virus survive a proper zero-fill, that is, one which is carried through to completion.

    NooNoo gave the best advice for the "full paranoia" kill the SOB virus removal and prevention routine. I have done several machines where pretty much all of those steps were necessary, just for my own peace of mind.

    If you try to take shortcuts when troubleshooting, it is quite likely to bite your a$$ more often than not. Never take ANYTHING for granted when troubleshooting! If you have not satisfactorily ELIMINATED a possibility, it is still a possibility.

    Wanna get rid of it? Follow NooNoo's advice.
    If only you knew what's inside of me now,
    You wouldn't want to know me, somehow.

  12. #12
    Registered User Ferrit's Avatar
    Join Date
    Apr 2001
    Location
    Vancouver Island The Real Canada
    Posts
    4,952
    I never post cause i dont know anything about computers.
    Seems to me just flatten the drive as NooNoo says
    Wipe Zap there are tons of utilities
    Mystery viruses?? Heh unlikely sounds more like OE
    Last edited by Ferrit; June 6th, 2004 at 07:18 PM.
    Gigabyte 990FXA-UD3
    AMD FX 8350 4ghz OCTO-Core
    Windows 8.1 PRO 64
    Adata 256 gig SSD
    Kingston HyperX 1600 16 Gigs
    Sapphire R9 280 2gig
    Enermax Liberty Modular 620
    www.northernaurora.net
    http://www.northernaurora.net/page/chat.html

  13. #13
    Registered User
    Join Date
    Nov 2003
    Posts
    92
    Quote Originally Posted by Ya_know
    I don't know what to tell you...I've heard stories about BIOS infections too, never seen one. But as with the boot sector virus, I just don't see these type of infections creating users, and doing what you have described...so it has to be somewhere.

    As for this, wasn't the Chernobyl Virus the first one to actually wipe out a BIOS or render the mobo unusable anymore? I remember being a benchtech during that time and many comp's come in that were rendered useless.


    As for as this guy, I think he was trying to pull a fast one and got caught.

  14. #14
    Registered User xpuser357's Avatar
    Join Date
    Apr 2004
    Location
    Poplar Bluff, Mo.
    Posts
    1,328
    xacebop You said you was good with computers???
    A harddrive has a subdirectory that a simple format
    will not erase. NooNoo Is right on the money
    you need a drive utility to write zero`s to every part of that drive
    to clean it up.

  15. #15
    Registered User
    Join Date
    Mar 2005
    Posts
    1,534
    Thats one parinoid SOB that would go that far but he's right.

Similar Threads

  1. Replies: 4
    Last Post: September 26th, 2001, 08:39 AM
  2. How do I unistall Windows 2000?
    By drivers2000 in forum Windows NT/2000
    Replies: 11
    Last Post: May 3rd, 2001, 06:56 AM
  3. Replies: 0
    Last Post: April 24th, 2001, 11:41 PM
  4. [RESOLVED] CD RW wont format disks after virus infection
    By restless in forum CD-ROM/CDR(-W)/DVD Drivers
    Replies: 1
    Last Post: January 14th, 2001, 10:47 AM
  5. I love you virus
    By Danrak in forum Tech-To-Tech
    Replies: 21
    Last Post: May 12th, 2000, 07:18 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •