Help, my first virus in 12 years and I am lost ....

Posting from my LINUX machine.

My XP- SP2 machine has been slipped a ‘micky’ and is all wonky.

Crashes browsers every few minutes, have to reboot to be able to relaunch. Even kills AOHell. Kills the whole computer about every other time.

Can’t download an uncorrupted Virus scan, like AVG or three others I have tried. I always end up with an corrupted file. They won’t install.

System restore will not work. Tried a lot of different times in the past and no go.

Have done registry cleaners. defrag. scan disk, it keeps asking for scans like with improper shut downs on all drives on a lot of the boot ups but not always.

My back up HD is corrupted also when I connected it after disconnecting my win 98 FAT 32 drive and the main SATA XP Drive.

Removed all programs that seemed likely, removed the Firefox addons I did recently…

Cleaned all cookies and temp files etc, re cleaned, defraged again, etc & rinse lather repeat many times…

On line virus checkers will not fly. ZoneAlarm on or off, no difference.

Does any of this sound familiar?

Any ideas on what to do?

Can I completely re install XP and then pull all my pictures and files text from the bad HD or has the virus gotten into someplace else and how do I identify it and get rid of it?

Why / how did it get to and mess up the backup cloned HD that was not connected when I tried it? Was cloned a month ago and virus is new about 48 hours ago.
Help please…

If the virus isn’t doing anything like hijacking your browser it might not actually be a virus. The vast majority of viruses these days are malware and browser hijackers that have specific objectives, not just general chaos. If files are getting corrupted you may have a serious drive integrity or RAM hardware issue.
Assuming it’ s not a hardware issue download “hijack this” from another PC and put it on a thumb drive. Also DL an evaluation copy of AVG or Kaspersky and put it on the thumb drive as well.

Start the OS in safe mode and install hijackthis. The readout when activated should tell you if you have unwanted passengers in your start up registry.

You need to to delete the hitchhikers then reboot into standard start up. Then run hijack this again and clean out any new unwanted lines. Re-boot to safe mode and do any additional clean outs if you have unwanted lines being loaded.

Then re-boot to normal mode. The virus/malware should be stunned enough at this point that you can load a virus checker and do final scans and clean outs.

Astro’s advice is quite good. If you’re not familiar with the log file that Hijackthis will produce, there are websites available specifically to help you. I tend to like

There are some NASTY trojans out there right now – I just had to do a wipe and reinstall this week. Some of the more sophisticated malware will actually recognize when the user is looking and hide.

Other than Astro’s advice, I offer the following:

From a clean system (at work, a friend’s house, library, etc.) download the following, besides Hijackthis:

Spybot Search and Destroy
AdAware 2008 Free
Malwarebytes’ Anti-Malware
SUPERAntispyware Free edition

There are other fairly specific tools available, such as ComboFix and MGTools, which are usually requested by the techs at self-help antimalware forums.

Let you in on something I discovered this week:

We generally don’t give much thought to our Java installation – websites seem to work fine and it’s basically forgotten. Bad move. There is malware out there that takes advantage of security gaps in older versions of Java and can do nasty things to your system. Whatever happens with this infection, when you’re clean (via cleanup or reinstall) you need to hit Sun’s website and get the latest version of their Java ASAP. It has gotten to the point where there are shady, fake antimalware programs out there that they con you into buying (via fake ‘alerts’ downloaded and installed by their own trojans.) They then use the revenue to purchase ad space on reputable websites, which can then exploit Java – even in Firefox – and cause more users to become infected, thus securing more sales of their fake ‘remover’.

If your desktop background changes to a scary looking warning about spyware/trojans, and you SEEM to be crashing to a blue Windows error screen, you’ve got one of these, probably a version of Virtumonde. It’s a nasty bastard. That blue screen of death? Just a screensaver to scare you into buying their product.

Otherwise, you probably have one or more trojans executing downloads/installs of other malware, which adds up fast. I suggest, as soon as possible but certainly when you have a clean system, that you put a firewall like ZoneAlarm on your system and make sure it asks about program access. Be very, very careful about allowing any .tmp file access to the web – these things hide in tmp files.

SpyBot has a tool called “Resident-TeaTimer” that can autorun on startup and will alert you to changes in your registry or startup list, where Malware likes to add entries. SpywareGuard can do the same. If you purchase the full versions of some programs, you get the same ‘realtime’ protection. Even with all that, though, no system is 100% safe 100% of the time.

Used to be if we downloaded the newest virus/malware/trojan definitions every couple of weeks or so, not much could get to us. Now, two weeks is an eternity, as the malware can change, drastically, from day to day. The bad guys are getting the updates and working around them, and the good guys are tweaking, and so on.

I feel for you…this is a hard process, especially once infection sets in and becomes noticed.

Once your system is pristine, do the Java update, make sure you’re using Firefox 3 (or whatever you prefer), make sure you have multiple scanners ready and updated, and make sure your scanners will update daily themselves, or do it manually NO LESS than once weekly. Scan NO LESS than once weekly with everything. Also, create a limited user account that does not have Administrator privileges on your computer, and use that. It isn’t perfect, but it gives you a bit of a leg up, since restricted users typically do not have access to critical files or folders.

Key places to look for malware:

Registry (particularly within the /Run tree)

And, of course, in your startup menu. Beware, these things can hide and not show in the startup menu in msconfig. Likewise, malware can hide in ‘real’ processes and be very difficult to remove. Some variants will altar all the .exe files it can find…and at that point I know no other way to get rid of it than a reformat/reinstall.

Good luck!

Different RAM and so far so good…

Could it have been that easy? *::; knocks on wood :: *