Member Avatar for grvs

Hello guys

I gone through "read me first" for this section and seems that I can't do anything.
Here is the problem and the things I tried to solve my problem.

The first encounter with the virus was when I tried to start gtalk (4-5 days ago), and a window poped up saying 'select the program you want to use to open this file' (you all must be familiar with this msg, it comes when we try to open something windows doesn't recognize).

I inquired and got to know that my cousin brought some files from some internet cafe which
caused the problem. I still don't know what files he brought. I looked for suspicious looking programs and files so I found some unusual things some of which i remember.

  1. driveguard.exe running in task manager
  2. a folder named driveguard in "C:/Program Files" containing driveguard.exe and a text file which i deleted instantly. so no information on them too
  3. I also felt a process wuauclt.exe which is still running in my task manager (it re-initialize it by itself when i stop/end it) is also a virus (i am a newbie)
  4. and some other process which i don't remember, I stopped (ended) them.

Then i tried opening gtalk again and same msg. similarly with other programs. I downloaded an open source antivirus from www.clamwin.com and found that i can't even install anything.

I tried gtalk (and other programs) by right clicking and selecting "run as". I could run every program. So I again tried installing by this method but again i got "access is denied".
when I select "run as" it gives me two option, namely - 1. run as current user 2. run as administrator, but my account had admin rights (this is the only account on login screen) , and when i installed windows XP i didn't create any other account by name "administrator".

so I tried creating another account with admin rights, when clicked on user accounts(in control panel) it said rundll32.exe not found, but its there. same msg for add n remove programs etc.

I tried to scan my computer from Kaspersky website and it detected 3 viruses namely
rundll32.exe, avsp.exe and one more i don't remember the name. the last one it deleted, avsp and rundll32 it couldn't.

I tried to scan my computer with sysclean.com (a dos based cleaner at trendmicro, one needs 4 files to run this) and it detected 1 viruses, namely avsp.exe I dont know whether it could delete it or not. Relevant log is as below

C:\avsp.exe [WORM_VB.EAI]
25384 files have been read.
25384 files have been checked.
25353 files have been scanned.
177734 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.

Also I cant use regedit.
anything like msconfig would again open the pop window with msg 'select the program you want to use to open this file'.

Thanks in advance

  • 2 Contributors
  • 3 Replies
  • 124 Views
  • 23 Hours Discussion Span
  • Latest Post Latest Post by PhilliePhan
Member Avatar for PhilliePhan

Sounds like you have quite a mess there!

-- Are you able to run any tools in Safe Mode?

If you want, you could try this AT YOUR OWN RISK:
Run this early beta of a scanning tool I've been writing off and on for a while. It should be safe - many of the more risky components are not included in this early version.

Download PeekabooXP.zip and EXTRACT the PeekabooXP Folder to your C:\ Drive
It needs to be there to run properly.
-- You'll need to disable your AV temporarily before you run PeekabooXP. It might hang if you don't. Run it in Normal Windows Boot, not Safe Mode.
-- Open the PeekabooXP folder on the C:\ drive and DoubleClick Run This.bat and follow the prompts.
-- A log ought to pop up in notepad - post that for me.

I'll try to check back as time permits. I've got a busy weekend of home repairs ahead of me, so I may be tied up for a bit.

Best Luck :)
PP

commented: he has a very good know of windows OS and is willing to help +1
Member Avatar for grvs

Thanks PhilliePhan

actually anything in safe mode woudn't run.
I saw that rundll32.exe and found that its icon is not like an exe file but some other which i don't know... (similar to text files in vista)
i deleted it from there n dllcache too. Downloaded new rundll32.exe from web and windows din't let me copy... (how come virus could modify it)

and so on... i kept on trying on lost my internet too....
finally i had to reinstall windows... so i can't tell you how your tool would work. but i have downloaded it for the bad times in future.

Thanks once again.

Member Avatar for PhilliePhan

and so on... i kept on trying on lost my internet too....
finally i had to reinstall windows... so i can't tell you how your tool would work. but i have downloaded it for the bad times in future.

Thanks once again.

Happy to try to help :)

At least now you can be 100% sure your compy is clean. Some good preventive measures can be found in my "Protect Yourself" linky below.

-- That version of the tool I linked doesn't fix anything even though it says it does (it contains only part of one cleaning routine). Rather, it performs like HJT and DSS to enumerate running processes, certain registry keys, newly added files, etc... Even my later versions are pretty feeble when you compare them to a tool such as combofix, LOL!

Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.