-
May 7th, 2004, 05:47 AM
#1
virus in my registry kills me after i format
ok im sorry i dont usually post on boards because im very very good with computers. the virus i have right now stuns me because its far too advanced and the virus that it matches up with is a simply removed virus. However, ive tried every virus scan known to man, hijack this, registry programs, adaware, you name it i have had it on this computer and NOTHING works. let me first introduce you to the virus. I have formatted about 10 times this week, i have about 6-8 hours before a complete takeover. The virus does not require an internet connection for a takeover, it does things on its own by creating a fake administration guest account and giving that account powers over me and my computer. The way the virus takes over has differed every time have reinstalled, and mind you its two different drives that ive totally wiped clean. now as for the exact virus im not sure how to locate it, my process tree is normal right now and always is. However i cant delete folders such as netmeeting because they are "in use". The virus itself starts somewhere in bios and im pretty sure its hkey_local_machine\system\currentcontrolset002
the virus then starts to log my documents and settings everywhere, my system restore is turned off but still remains active, so is the folder /recycler, where files that i delete which can me deleted by me which the virus uses are sent but once i delete for good they are restored and not actually deleted. ive also noticed an extension for files which addon to the regular exe msmsgs.exe.manifest for example. im not familiar with this but it wont hurt to add it in here. the funny thing is that i have no way of actually finding the virus because it only adds startup commands to the normal exe. my system.ini at one point was shell loading the explorer.exe target load.exe but as of this virus attempt it hasnt. i come here to inform and hopefully find a cure. By reading my computer logs i have found that it appears that my computer is totally normal with all the same files theres no fake exe running around called virus.exe but there is another user who isint even real logged into my computer taking over. Once again i remind you if youre gonna refer me to going to user accounts or networks connections or my control panel for help ive already tried it. my real only resort is to type my entire system. or to find it in bios and wipe it from there. the bios settings i noticed which is irregular is the "lanman" workstation, and many other folders, seems suspicious. the virus i noticed ended up on my computer about a month ago and then slowly began to take over by an internet user within the .net meeting folder as i noticed logs of his attempt to get through to my computer. ive read over almost every ini/log/txt/etc file on this computer and watched on how the virus uses simple microsoft technology to open my computers vunerabilities. and i note again that i have totally updated my system as it does no help its useless. if you need any more details please post here or email me since i have to reformat about every 8 hours. if you have any suggestions let me know please. right now im going to look for a log document of what it has done, ill let you know, but i dont have much time. its great when you sitting there talking to your friends on aim and about to go into your c drive when you just see it totally disappear =) you type c:\ into explorer by bar "drive does not exist" but youre still on aim haha.
-
May 7th, 2004, 07:09 AM
#2
Registered User
Sounds like a boot sector virus....from the command prompt type fdisk /mbr
-
May 7th, 2004, 07:33 AM
#3
Banned
You didn't say what OS...
Also, you say that you aren't connected to the Internet, and this thing takes over within 8 hours, how are you getting your MS updates?
The activity sounds bad, but I can't imagine a boot sector virus doing all this, so I have to assume that in some of the software or updates you have installed you may have an infection there that you are unaware of, could be on CD or floppy, you are reapplying it each time…just a guess.
You say you've used several virus scanners, which ones?
I don't know what to tell you...I've heard stories about BIOS infections too, never seen one. But as with the boot sector virus, I just don't see these type of infections creating users, and doing what you have described...so it has to be somewhere.
It’s too bad you can’t identify the virus/hijacker. I wish I could be more help.
-
May 7th, 2004, 07:57 AM
#4
Driver Terrier
OK so if you have formatted a few times, did you every zero fill the driver (low level it).
Total paranoia requires the following
Unplug the network and/or dialup cables
Do 7 passes with a zero fill utility
remove ram and video card from motherboard and leave out for a few mins. Unhook all drives and disconnect them from the psu.
While the ram is discharging every last millivolt, remove the motherboard battery and set the bios reset jumper for at least 10 seconds... all power to the system removed.
Replace ram and video card and floppy drive boot immediately to bios with a known clean floppy, flash the bios including the bootblock. Reconnect 1 hard drive, run the zerofiller again.
In a known good system with uptodate antivirus, check every cdrom/cdrw and floppy you will use on the now virgin system.
Boot from cdrom with an original windows cdrom and load the os. On another system, download the the msupdates using the windows catalogue method - paying special attention to getting msblast, nimda and sasser worm updates first.
When you are satisfied you have loaded your machine and got antivirus uptodate along with spybot immunisation and all the necessary windows updates, install a firewall such as kerio and have it on request permission for everything.
Reconnect to the network and internet and watch for attacks on the firewall.
BTW what user name is being created?
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
May 7th, 2004, 08:38 AM
#5
wow i replied then something went wrong so ill type it all up again, took me about 20 minutes hahah
first things first, ive created new mbr's doesnt do anything i havent tried to fdisk though
windows xp pro 32
as for the virus scanners theres alot to list
trendmicro online scan
mcafree scan
panda
sophos
avg antivirus
bitdefender
norton
kaspersky
etrust ez
i think i might be missing a few too
noonoo your method sounds really hard =/ im trying just to find the area of registry i need to delete or just to identify the virus in general
the list of users are as follows...
Administrator (me)
Administrators (who currently has control of my computer c:\ sharing etc)
anonymous logon
authenticated users
backup operators
batch
creator group
creator pwner
dialup
everyone
guest
guests
helpassistant
helpservicesgroup
interactive
local service
network
network configuration operators
network service
power users
remote desktop users
remote interactive logon
replicator (??? whats this)
service
support_388945a0
system
terminal service user
users
any ideas will help =)
i tried to post a pic of some stuff i took but it gave me the error
The file that you have tried to attach is too big. The maximum size for this filetype is 1 bytes. Your file is 280909 bytes.
and its a jpg file.
-
May 7th, 2004, 08:54 AM
#6
Registered User
"the virus i have right now stuns me because its far too advanced and the virus that it matches up with is a simply removed virus."
What virus does it match up with? Do you have any names at all?
-
May 7th, 2004, 09:01 AM
#7
Driver Terrier
Are you confusing security groups with users?
Why have you got anonymous login user active?
Have you tried simply disabling these excess users?
You need just adminstrator (system) and your user name (which has admin rights). Kill the rest.
Still don't know what windows we are dealing with, although I suspect we are looking at 2k3 server the trial version.
You cannot attach files, you have to link via your own webspace..
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
May 7th, 2004, 11:07 AM
#8
Originally Posted by NooNoo
Are you confusing security groups with users?
Why have you got anonymous login user active?
Have you tried simply disabling these excess users?
You need just adminstrator (system) and your user name (which has admin rights). Kill the rest.
Still don't know what windows we are dealing with, although I suspect we are looking at 2k3 server the trial version.
You cannot attach files, you have to link via your own webspace..
well care to explain how to do that. i go to user groups in control panel and its me and a guest account which is turned off. the virus tells my computer its a part of the workstation and it accesses my files. the only users there should be and that i have set up are me, if i delete anything whether it be file registry or anything the virus restores it and in turn ****S me over, just now i tried to revoke their user privledges to the my c:\ and it said error cannot give you access to c:\program files and c:\windows right after this error occured i lost all power to open files but i could just browse my compute freely without being able to open anything because i lacked access. just now after i restored i notice there was a system restore point already set so i deleted everything in there. also, before i had to reformat i noticed a hidden file, c:\recycled\(then some long *** string name like c021-1501-151) which had the recycler icon. so i deleted files and i saw them in this folder. before i formatted i saw 2 files i hadnt even deleted, one called dc23.exe (no icon) and one called info2 (no extension) as i surf the internet right now im not sure if im infected yet but there is a system restore directory in my c:\ (system restore is desabled) and is logging everything i delete and move in a change.log i also noticed it created a manifest exntension of the exes that ive executed, for example c:\program files\internet explorer\iexplorer.exe.manifest or whatever, another thing, the file matches in some cases the nimda and mydoom viruses but ive done full scans for those and it shows as nothing. i dont even have the option to disable system restore right now, there is no tab for it.
-
June 6th, 2004, 05:35 PM
#9
Registered User
No offense, but this sounds highly suspect to me. I've never come across a virus that will survive a proper format, unless it's bios/mbr. You say you keep reformatting, so why does it come back? You're not going to fix it, unless you take Noo-noo's advice. An hour extra to save "formatting" every 8 hours.
Wiping the hard-drive properly should fix it, but it's not, so check the disks you're using to reinstall. You've not said whether you've checked those yet.
"Never turn your back on a friend."
-
June 6th, 2004, 06:20 PM
#10
Banned
Sounds suspect to me, too. I just got another headache reading what xacebot said. But hey, considering it's a month old, he either fixed it or was abducted by it.
Welcome to WD Naxr.
-
June 6th, 2004, 07:05 PM
#11
Registered User
"ok im sorry i dont usually post on boards because im very very good with computers."
I always love to hear this one. And I have NEVER seen a virus survive a proper zero-fill, that is, one which is carried through to completion.
NooNoo gave the best advice for the "full paranoia" kill the SOB virus removal and prevention routine. I have done several machines where pretty much all of those steps were necessary, just for my own peace of mind.
If you try to take shortcuts when troubleshooting, it is quite likely to bite your a$$ more often than not. Never take ANYTHING for granted when troubleshooting! If you have not satisfactorily ELIMINATED a possibility, it is still a possibility.
Wanna get rid of it? Follow NooNoo's advice.
If only you knew what's inside of me now,
You wouldn't want to know me, somehow.
-
June 6th, 2004, 07:14 PM
#12
Registered User
I never post cause i dont know anything about computers.
Seems to me just flatten the drive as NooNoo says
Wipe Zap there are tons of utilities
Mystery viruses?? Heh unlikely sounds more like OE
Last edited by Ferrit; June 6th, 2004 at 07:18 PM.
-
August 28th, 2005, 01:26 PM
#13
Originally Posted by Ya_know
I don't know what to tell you...I've heard stories about BIOS infections too, never seen one. But as with the boot sector virus, I just don't see these type of infections creating users, and doing what you have described...so it has to be somewhere.
As for this, wasn't the Chernobyl Virus the first one to actually wipe out a BIOS or render the mobo unusable anymore? I remember being a benchtech during that time and many comp's come in that were rendered useless.
As for as this guy, I think he was trying to pull a fast one and got caught.
-
August 28th, 2005, 04:33 PM
#14
Registered User
xacebop You said you was good with computers???
A harddrive has a subdirectory that a simple format
will not erase. NooNoo Is right on the money
you need a drive utility to write zero`s to every part of that drive
to clean it up.
-
August 29th, 2005, 01:51 PM
#15
Thats one parinoid SOB that would go that far but he's right.
Similar Threads
-
By Raveman in forum Windows NT/2000
Replies: 4
Last Post: September 26th, 2001, 08:39 AM
-
By drivers2000 in forum Windows NT/2000
Replies: 11
Last Post: May 3rd, 2001, 06:56 AM
-
By 14.1 in forum Windows NT/2000
Replies: 0
Last Post: April 24th, 2001, 11:41 PM
-
By restless in forum CD-ROM/CDR(-W)/DVD Drivers
Replies: 1
Last Post: January 14th, 2001, 10:47 AM
-
By Danrak in forum Tech-To-Tech
Replies: 21
Last Post: May 12th, 2000, 07:18 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks