Self replicating VIRUS help needed please.. :(

Stervo

Nope CleanUp! cleaned very well and deleted about 175MB of junk which was nice, virus still remains.. TrojanHunter took about 4 hours to scan with no sign of finishing, so I might leave it running while I'm asleep, doubt it will find anything though..

I just want to know what is creating the virus copies or is it the virus itself? Do you think I would need to go into the registy and delete some files from there?
I don't know what to do anymore, usually I'm pretty good with this sorta thing, but I really don't know where to start with this one.

Just so you know, the computer with the virus on is not conected to the internet at the moment so it can't download new copies of the virus or anything like that.

I fear I may have to reformat but I've got about 100GB of stuff and it would be a shame to lose it all...

Thanks again for all your time and effort - Stervo

Chippy_Minton

Are you using Microsoft VM (virtual machine) by any chance? To find out, type JVIEW at a command prompt. If you get an error saying the command isn't recognized it means MS VM isn't installed on your system. Otherwise the top line of the output displays the VM version and depending on the version there are vulnerabilities which are exploited by Trojan.ByteVerify. See Security Bulletin MS03-011 for more information.

Also, make sure you're fully up to date with Windows Update.

Loobeylou

Mr Skint - off where? You are such a useful person on techie problems, and we don't want to lose you!!

pchelpman

Ah...java. Don't you just love it! What a mess it can cause/allow.

OK. Two more thoughts. Both mean you are going to have to get more invasive to dig this one out.

To answer your question about what is causing the self replication - this could be an ".exe" file somewhere on your system that has managed to hide itself well. Not likely, given the java bytever virus, but possible.

Now on to the suggestions.

FIRST

Chippy_Minton hints at a possible answer. I recommend you uninstall/remove any MS VM (or Sun Java if you have that instead) then go back online here....

http://www.java.com/en/download/manual.jsp

....and re-install Sun Java

--> WARNING...Don't forget to have your antivirus and firewall up & running when you connect this PC back to the net.

If you have a fast internet connection (Broadband) run online scans here….

http://www.pandasoftware.com/activescan/

…and here…..

http://housecall.trendmicro.com.

When running the Panda Activescan make sure you click the Free Online Virus Scan in the upper right hand corner of the page under the Free use Activescan header. I do NOT want the default spyXposer scan.

Once it has finished save the Activescan log. Then post that log in your next post.

Please run ALL the free scans offered by Housecall.

Make sure they both perform full system scans.

If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details back to this thread.

SECOND

IF this doesn't improve the situation I will take a look at your HijackThis ["HJT"] log.

Please download and install the latest version by going HERE....

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

After you install HJT make sure it's running from a permanent location by moving the HJT folder to a permanent place on your hard drive such as C:\HJT. This will ensure that any backups made are not lost.

Double click the HJT file and you will be presented by a window wIth several options. Chose the top one "Do a system scan and save a log file".

Two things will happen....a system scan will take place (probably a few seconds) then a Notepad logfile will open on top of the system scan. Copy & paste the results of that logfile to this thread. PLEASE DON'T DO ANYTHING ELSE WITH HJT.

Stervo

Mr pchelpman,

I thank you for all of your advice as it is much appreciated... Firstly I re-installed Sun Java, and the online Panda scan has only just finished (I started the scan early Friday evening) and it only found some adware:

C:\WINDOWS\SYSTEM32\ustart.exe

and 3 deleted viruses that came in an email and were deleted by Norton automatically;

Virus:W32/Sober.AH.worm - Personal Folders\Deleted Items\*name of email goes here*\*name of zip file*.zip[File-packed_dataInfo.exe]

So the virus still remains.. I think I will do all the scans offered by http://housecall.trendmicro.com now and report back if it finds anything, and I will also post the HJT log when I get it done.

Thanks again - Stervo

Stervo

Oooh another thing that I forgot to mention is that my CPU usage is always at 100% now where the 'Image Name' is System and that process is using all my resources. The memory usage for this process is only 240 K.

Hmmm... thanks - Stervo

pchelpman

Morning Stervo

If I read you right that "System" shouldn't be using almost anything....well, only a couple of % points from time to time. Certainly NOT 100%.

Let us know what happens after you've scanned with all 3 scanners at Housecall.

One more thing....do you have/use Spybot Search & Destroy? If not it's free, good and it's here....

http://www.safer-networking.org/en/index.html

Download it, install and scan (scan could take a fair while first time round). Have it fix anything it finds "bad".

Again let us know what happens.

If you get any more notifications of viruses etc. please post here the full location address.

I would be interested to see your HJT log also.

Will await developments.............

Stervo

Hello there pchelpman,

The Housecall virus and spy-ware combo scan is still running on my computer and its been going for 24 hours and 17 minutes with no sign of finishing soon

100% CPU all the way. I HATE it.

Thanks again - Stervo

albertross_2

if the virus is resident in memory, you may have to kill it using task manager (CTRL ALT DEL) before you can clean it using a virus scanner. Go into task manager, sort it into CPU utilisation order, and try end task on the processor hogging exe's. Make a note of what you have killed, and see if it calms the machine down, if it does, you may have identified the exe responsible.

Autoruns from sysinternals.com is an easy way to spot and disable rogue programs and browser helper objects that run at startup.

Regarding those online scanners, even the reputable one's don't seem to clean up after themselves, and leave all sorts of rubbish on your system, which you have to manually delete. I prefer to stick with either Mcafee or Norton, and make sure the dat's and engines are upto date.
https://www.nai.com - download superdat, or liveupdate for Norton.

Same thing applies to Spybxx, it's bloated.. Lavasoft's ad-aware is a much cleaner spyware scanner in my opinion.
IF you have XP, the Microsoft anti-spyware beta is also something to try (after running Windows update).

If you haven't already disabled system restore, and cleaned up the restore points, then you could try to use system restore to correct the problem - i.e. restore to a time before you got infecteed.

Stervo

albertross - firstly, thanks for your comment, secondly I don't believe that the virus is in resident memory as I have been through all the processes that are in there and none of them are 'new' or unexpected. The process using 100% CPU is System and if I ended that the whole computer shuts down.

Ad-aware is very good.

I've been scanning for 25 hours and 41 mins now, its not even funny.

Thanks - Stervo