Need help with possible PC virus...

I believe it was picked up via an email at my uncle’s company. It’s affecting two computers in the office, with Windows 2000 Pro being the OS. The best way to describe it is it appears to be shutting down certain programs upon opening. Microsoft Antispyware and Adaware open fine, but a few others, including Symantec’s Anti Virus program are shut down upon opening. The thing that has me most weary of it being a virus vs. individual program problems is that when I cntrl +alt + delete to go to the task manager to see what programs are running it comes up for about half a second, showing no programs running, then dissapears. This happens on each computer that is infected and on none of the ones that aren’t. The only apparent seperate problems between the two infected PC’s are that the one I’m currently using has functioning internet access, with the other one occasionally shutting down for no apparent reason. I apologize for the clusterfuck of writing, but I’m doing quite a few things at once, including labor in a 100 degree warehouse. Any advice on the matter would be appreciated.

Do the Microsoft and Adaware programs run cleanly and report that there are no problems?

Try to download AVG Antivirus and see if that will run. They have a free version that works pretty well.

If you know what you’re doing, you could try removing items from the “Run” keys in the registry, and then rebooting your computer…But DO NOT do this if you’re not sure what you’re doing, and unless you have a good backup of your registry.

There are other hints in the Sticky thread at the top of the forum that refers to computer problems.

Perhaps Netsky?

Haven’t really made any progress and haven’t gotten any replies over at techforum. Anyone here able to make sense out of Hijack This logs or know of any other forums that have people that could help with this? Log is here . I may simply opt to reformat the HD’s if I don’t make any progress. I’ve been able to open Task Manager while in Safe Mode, but I haven’t seen any unusual programs running.

Did you download AVG antivirus? You should be able to run it in safe mode. If you can’t download it from the virus-infected computer, download it from a different computer, burn it to CD, then run it from safe mode. You can do the same thing with Spybot Search & Destroy and Adaware.

Are you familiar with the registry at all? If you want you can post the contents of your Run, RunOnce, and RunOnceEx registry keys here, and I can help you determine which entries might be malicious or questionable.

  1. If you can get to the site, go to and run their virus scan. It may find it.

  2. If you want to take a look at the processes, use taskill (From – scroll down). It is usually ignored by viruses that shut down the Task Manager. You can view and shut down anything that looks bad (while I wouldn’t suggest indiscriminately shutting down a task just to see what happens, in the long run the worst you’d see was your computer crashing and a reboot would fix that.)

  3. To get a good look at what’s happening, use hijackthis ( Save the log and post it here.

Can’t see you log from this link.
Got another one?
Or would you like to email it to me?
Post and let me know if you email it.

Apparently, this is a worm

So neither AVG nor NAV picked it up?

Did you try scanning in safe mode?

Here’s Symantec’s info.

When W32.Kwbot.S.Worm@mm runs, it performs the following actions:
5. Enumerates contacts in the Windows address book and sends email messages to the addresses gathered, using an integrated SMTP client engine.

  1. Connects to a predetermined IRC channel, using its own IRC client, and listens for commands from an attacker. The commands allow an attacker to perform any of the following actions:
    * Manage the installation of the worm.
    * Control the IRC client on a compromised computer.
    * Update the installed worm.
    * Perform Denial of Service (DoS) attacks against a target, which the attacker specifies.

Neither AVG nor Symantec’s program (which only works in safe mode) picked it up, and I fixed a bunch of things with Hijack This as recommended by techforum. I can’t find syscnfg running in task manager but I think I’ve found it in regedit. I need to steal a mouse from another machine when I have to chance in order to see the whole file name (shoddy hardware and software + working on and off in the 100+ degree warehouse = gyarrrrrrrrrr!). I will post update when back from lunch, but I think you found the problem PatriotX, thanks a million.

Fixed, much love.