TechSpot

To rid the disease

By BobbySocks
Feb 16, 2009
  1. Hello TechSpot users.

    Before i dive in to the substance of the matter i feel it's obligatory that i point out how inspiring the work you guys do here is and how much i hope you keep on keeping on!
    As for the thorn(s) that drove me to sign up here i wish you and your masters a good riddance.

    It all began when my main motherboard fried. Yanked my USB out, PC shut down, never to see the light again. Board went dead. Fine no problem i have a spare OptiPlex GX620 in the basement. Disconnected the dead corpse, hooked up the GX620 and installed an XP SP2 Dell CD i've had from a past machine. Everything went through smoothly. Installed the recommended drivers (in the correct order!), AVG Internet Security, Spybot S&D, and other convenient software like MS Office etc. All this was done offline also. I proceed to reboot as required by the driver installations.

    The system restarted, i plugged in my network card, and began to browse the internet to DL other miscellaneous software, namely Firefox, mIRC etc. Everythin was fine up until the point where AVG began reporting some "Win32/Heur" virus detection in my windows folder, randomly spitting out "infected" files like rundll32, regsvr.dll and other native /windows/ files that i knew weren't problematic based on all that i mentioned before. I decided to ignore this and kept on browsing the internet via IE. I found mIRC and dl'd it to my Local C drive with no drama. However, when i come to open the installed mirc.exe the hour glass flashes for a quick second and nothing happens after that. I proceeded into a clicking frenzy for approximately 1minute to no avail. I cycled through everything from attempting to run it from a USB stick to creating a second account and running from there with no success. However, by some luck i found myself right-clicking the exe and choosing the "Run as.." option and ran it under "Current user." End result: the thing opened (even though it kinda froze for a few seconds post-loading). Of course, this puzzled me for a good while. To the point where it led me to think that troubleshooting was a waste of my time! Heh, of course i recovered from this temporary takeover.

    In a nutshell these are my main concerns. As sidenotes however, i'd like to add that:

    1) i have two occurrences of Notepad.exe and explorer.exe (One set in c:\windows and the other in c:\windows\system32)

    2) AVG seldomly detects a Trojan Horse Gen "virus"
    3) When i click "System" in the Control Panel i'd get an error dialog with accompanying message along the lines of: "Windows cannot find C:\windows\system32\rundll32.exe. Make sure you typed the blagh blagh" you get the point.
    4) Also AVG tends to be regarding every little thing i do with malicious content now. For example it'll pick up my printer's drivers as virus @___@

    My System Specs. are as follows:

    OS Name: Microsoft Windows XP Professional
    Version: 5.1.2600 Service Pack 2 Build 2600
    System Type: X86-based PC
    System Model OptiPlex GX620
    Processor x86 Family 15 Model 4 Stepping 7 GenuineIntel ~2660 Mhz
    BIOS Version/Date Dell Inc. A11, 11/30/2006
    SMBIOS Version 2.3
    Total Physical Memory 512.00 MB


    All input greatly appreciated guys!
     
  2. hellokitty[hk]

    hellokitty[hk] Hello, nice to meet you! Posts: 3,435   +145

    So you used the Xp SP3 CD that dell gave you for your computer with your old motherboard?
    It could possibly have installed the wrong chipset drivers for your motherboard, though that doesn't really seem to be the issue here...but just make sure the motherboards are the same. It seems more like a malware problem.

    Curiously your one of the first to take blowing a mobo so easily, and have a spare one right on hand lol.

    Great post BTW.
     
  3. BobbySocks

    BobbySocks TS Rookie Topic Starter

    well i didnt necessarily "receive" it from dell...lol

    My father picked it up on his way from work out of the garbage dump and we got a Dell Reinstallation XP CD from someone and ran it.
    Also i think i did kinda mess up the driver installation order compared to what dell recommended for my service tag.....but would that minor detail be able to cause this much annoyance?

    also ty for the contribution kitty ^____~
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Run Startup Control Panel and remove any not required startups: (should be most, except Avira AntiVirus!)

    Install Avira free AntiVirus

    Have a look at:
    UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Yes yes good post :)
     
  5. BobbySocks

    BobbySocks TS Rookie Topic Starter

    Thanks for the response kimsland

    I followed your advice and uninstalled AVG and it forced me to reboot. So i did that. Upon rebooting, however, i was prompted with a Data Execution Prevention dialog box stating that "Windows has closed this program"

    Name: Windows Logon UI

    I hit close message and got a Dont Send/Send Error Report box. Hit Dont Send and then the pc hung. All i could observe was the beautiful, well co-ordinated colors of my desktop's wallpaper. However, i was not in the mood for that just yet! I decided to see if Task Manager would run..... but no, DEP had to "close this program" just the same. So i was forced to restart.

    Rebooted twice only to get the same result. I figured i'd reboot a third time but logon via Administrator and hopefully bear fruitful results. Well, in a sense, i did because i was able to log in to the account, but was still prompted with the DEP closing Windows Logon UI dialog etc. This goes on in an infinite loop after every successive dont send click so i just drag it to the side while i type this post right now.

    I will continue on with the remainder of the steps and keep you posted with all that's new.

    Thanks guys!
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes AVG8 has a way of corrupting when Virus\Malware is likely present
    The uninstall of this program was still worth it. If I were servicing it, and it had done that, I would have said "of course, just like AVG!"

    Next, would be to go to Safe Mode with Networking, and then run the AVG Removal tool (note normally others users, do not need to do this in Safe mode)

    Likely at this point I would suggest to continue as far as possible with the 8-step removal guide. And then at last gone back to Normal mode, and at last installed Avira, and then continue the guide again

    Please try that
    And thanks for your thanks! too.
     
  7. BobbySocks

    BobbySocks TS Rookie Topic Starter

    alright kimsland i have completed all that was suggested. the logs are attached if needed
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I see you decided to go with Avast Antivirus, even though I stated Avira to you
    Avast is still a very good Antivirus (ie that's why it's in the guide) But I would have preferred you just went with what I "suggested"

    By the way...


    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    By the way, you will need to then restart, and run (and attach) a new HJT log
    We are at Post#8 and still require the logs, like it's post#1 still :(
     
  9. BobbySocks

    BobbySocks TS Rookie Topic Starter

    Actually kimsland Avira was giving me a hell of a time going thorugh the setup; always returning some sort of "CRC of something changed" and then it'd abort and i'd have to start all over again.
    Also my bad about the MBam logs i completely was out of the loop when i was saving that thing, thinking i had removed all the infections it had found. The results were kinda standard though nothing out of the ordinary that i couldnt handle.
    Another thing that im pretty curious about is what happened today after i installed SP3 and disabled Data Execution prevention for Windows Logon UI and two other things then rebooted.
    Upon rebooting the system, right before it came to the point where it was time for the Logon screen to come up, i received a BSoD saying something along the lines of "Fatal Error Windows Logon Service has been terminated. The System has shut down."
    This would go on to continue for two subsequent reboots. I decided to try logging in via safe mode - same thing. Last known good config, same thing. Ran a repair with the XP CD and was able to get back in. The hourglass flashing problem when attempting to open mIRC still lingers however. Bleh, i really dont know what in the world could possibly be the problem..........
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Did you run the AVG Removal tool I linked up there?
    This really sounds like leftover AVG link scanning issues
     
  11. BobbySocks

    BobbySocks TS Rookie Topic Starter

    yes i did but it picked up nothing
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  13. BobbySocks

    BobbySocks TS Rookie Topic Starter

    Alright kimsland i think i've been infected with the "w32.virut.*" virus according to avast. In addition, based on all that i've been reading in relation to the virus and all its byproducts thus far, most of its symptoms is quite evident on my PC without a doubt. For example the failure to execute executables, random "sending message.." prompts, arbitrary IEXPLORER.exe popping up and so forth.

    Investigating deeper into the situation i came to find out that my USB was also infected, and could well and possibly be the source of the culprit in the first place! (assuming from the various line of actions ive taken during the whole troubleshooting process, with my USB stick)
    Unfortunately for me however, i found all this out after i had already injected my infected stick into my Basement PC's port :(....no need to question what happened next..

    Right now im typing on the OptiPlex in Safe Mode with Networking as it wont load in normal mode; after i enter my user password the system just hangs and shows only my wallpaper. when i hit ctrl+alt+delete nothing happends. The mouse is still up and running though!

    i ran a scan on the usb and quarantined all the infected files (.exes mainly) with norton at school, then installed avast for u3 and ran a scan on it again and found nothing this time around. I'm assuming its virut-free atm but im not wiling to bet anything precious on that.

    Now im just browsing the internet in hopes of finding a solution to this headache so i can have my babies back in action as soon as possible :(


    edit: i attached an HJT log of a scan i ran in safe mode at the time of this post just in case
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well all these can be ticked and Fixed in HJT Scan
    I'd recommend running Malwarebytes again too
     
  15. BobbySocks

    BobbySocks TS Rookie Topic Starter

    eh it wouldnt let me run hjt again so i just said forget it and did a full reinstall....Everything's as good as new now (i think). I appreciate all the tips and hints you guys suggested throughout this whole dilemma; you dudes are really awesome. Thank you!

    edit: in terms of reinforcing security in this new installation kimsland, how would you suggest going about that to prevent things like that happening in the future?
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    It's all about safe surfing
    Thanks for the update :grinthumb
     
  17. BobbySocks

    BobbySocks TS Rookie Topic Starter

    Lol alright got it.

    As an anti-virus software though would you recommend avast/avira?

    edit: You guys are so awesome. Someday i'm definitely looking forward to giving back to this community in some form or another
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...