Serious problem -- virus/worm?

[glowninja]

Lately my system has been freezing up--then resuming.

Example: typing in word while listening to winamp, the whole system locks, the sound buzzes then resumes just fine. This is intermittant. It also happens during games.

An odd thing started happening yesterday; it was as if my windows key was permanantly stuck down. Hitting the f key would bring up a find window, r would bring up run.

This appeared to be some sort of accessability feature that I never turned on. While trying to disable this, on a reboot my system came up with NTLDR not found -- Press ctrl+alt+del to restart.
Couldn't get into windows AT ALL. No disks in the drive. No way to get on the web to troubleshoot.

I bit the bullet and reformatted my system partition, clean install. Now I'm noticing these wierd processes in task manager: wmiprvsrv.exe, wuauclt.exe, and another wu file. Googling these show a possible trojan, but I don't have any of the files it suggests in the registry. End tasking them causes a different one to show. I found instances of them in /windows/system32/i386 and /windows/system32/wbem. There are also prefetch files for these which I've deleted.
Deleting these and rebooting has had no effect.

I'm totally stumped. Can't find anything out on the web. I have run windows update and fully patched. I installed sp1 instead of two. I've also run a full virus scan, in safe mode as well with no results. I use my NAT firewall with my belkin router.

Help!!!!

EDIT: I deleted wuauclt.exe out of /system32/wbem. Win file prot came up and says 'file required for win to run properly have been replaced by unrecognized ver. to maintain system stability win must restore orig ver of these files' Insert sp1 cd now. AUGH

 

[glowninja]

*bump*

Sigh. :/

I'm trying to install SP2 right now.

 

[DetroitSportsFan]

It may be too late to have SP2 do a whole lot of good if your system is already compromised. Hopefully its not if you took proper precautions during your innitial install.

You know, even though I speak of spyware/malware/viruses a lot .... I'll also be the first to tell you that its not the only thing that will keep your system from running smoothly. What I don't have at this point is some valuable extra information. I need your total system specs including brandname and # of watts on your powersupply. It would also be helpful if you posted your system temps and the voltages on all three power rails and your vCORE. All this information goes toward us being able to solve your problem.

 

[mechBgon]

Originally posted by: glowninja
*bump*

Sigh. :/

I'm trying to install SP2 right now.

What I'd do, is to isolate the system from all sources of worms (like, your network cable ), and start over. Edit: if it isn't clear, I mean begin WinXP Setup again from scratch.

Download the full Service Pack 2 installer and burn it to CD so you can install it offline, and that'll plug the (known) wormholes and also get your firewall turned on.

Install your antivirus software. If you can download an offline updater, like Norton's Intelligent Updater for example, get that burned to CD too so you can update while offline.

Give your Admin-class accounts strong passwords, meaning, something non-dictionary containing at least a symbol, how about p1zza=yummy or something.

Enable Data Execution Prevention for all programs (right-click My Computer > Properties > Advanced > Performance > Advanced > Data Execution Prevention, if memory serves me correctly), this is a feature of SP2 so you got to get SP2 on there first.

Now you have your rudimentary defenses in place and you can plug in the network cable, update your antivirus definitions, and go to Windows Update for some updates.

After that, if you run Microsoft Baseline Security Analyzer, you'll probably find that your work's still not done Get those other patches for the heck of it.

Since your system apparently got taken down by worms, I'm guessing you don't have a hardware firewall (a router) between your modem and your computer. Consider getting one, such as a Linksys BEFSR41 or Netgear RP614, to be your perimeter firewall. They don't cost that much.

So the thing I'm driving at, is that you want the computer armed and armored BEFORE you ever plug it into the network cable. It is a best practice to also have a Limited-class account that you (and any other users of the computer) use for "daily-driver" usage, and use the Admin-class account only when you need Admin powers, such as installing a new printer & software or whatever.

Hope that helps

 

[DetroitSportsFan]

Since your system apparently got taken down by worms, I'm guessing you don't have a hardware firewall (a router) between your modem and your computer. Consider getting one, such as a Linksys BEFSR41 or Netgear RP614, to be your perimeter firewall. They don't cost that much.

This is why it doesn't make sense for a broadband connection to NOT have a router .... so frequently after mail in rebates .... your router may even be FREE. I've got the "linky" .... had it for about 2 1/2 yrs .... been a solid investment for me!

 

[schultzey11]

Funny, I recenty got high speed internet, and my computer seems to be slugish at times, I don't have any type of firewall set up, but am running norton anti-virus software. I have notice bogus programs self-installing themselves without permision. I am able to remove the programs but not sure I am getting all. Normal virus scans do not detect anything. I have a dual processor system with AMD mp 2000's, 512mb crucial ram, and scsi, this thing should fly! It is also very slow also at shut down and start up. What type of firewall do you recommend and where do I buy a high speed modem?

 

[mechBgon]

Originally posted by: schultzey11
Funny, I recenty got high speed internet, and my computer seems to be slugish at times, I don't have any type of firewall set up, but am running norton anti-virus software. I have notice bogus programs self-installing themselves without permision. I am able to remove the programs but not sure I am getting all. Normal virus scans do not detect anything. I have a dual processor system with AMD mp 2000's, 512mb crucial ram, and scsi, this thing should fly! It is also very slow also at shut down and start up. What type of firewall do you recommend and where do I buy a high speed modem?

This sounds like a case of spyware and trojans, schultzey. The slowness is probably because the junk is either reporting all the sites you visit, or busy sending several thousand Spam emails a day behind your back, or so on.

I take what Yoda calls "the easy path," and suggest that you back up your data, unplug your network cable to keep the worms out, and reinstall WindowsXP while the computer is not connected to your broadband modem. edit: on second thought, just hit this page since you'd be doing a fresh install, and follow both the wormproofing and "Ongoing prevention" suggestions. There are links to some things you'd want to have pre-downloaded and burned to CD for offline use, including Service Pack 2 for WindowsXP (assuming you have WinXP).

Yeah, you can take the hard road if you want, and do battle with the stuff and maybe win, but my method ALWAYS works :evil: and sometimes is faster. If you want to stand and fight, check out Schadenfroh's excellent guide here.

I also recommend getting a home router such as a Linksys BEFSR41 or Netgear RP614, to sit between your broadband modem and your computer(s). They'll firewall your computer(s) from the Internet and the non-stop barrage of worm attacks and script kiddies trying to ha><0r your computer.

If you can handle it, after reinstalling Windows, also make yourself a Limited-class user account and use that for daily-driver stuff. Use the Administrator-class account only when you NEED the elevated priveleges. And don't install software of, shall we say, questionable pedigree.

Hope that helps. If you want further help, I suggest clicking New Topic and make your own thread, that way more people will notice your request.

 

[SagaLore]

Do you run any P2P programs like Kazaa, imesh, edonkey, bearshare, etc.?

 

[DetroitSportsFan]

Originally posted by: mechBgon

Originally posted by: schultzey11
Funny, I recenty got high speed internet, and my computer seems to be slugish at times, I don't have any type of firewall set up, but am running norton anti-virus software. I have notice bogus programs self-installing themselves without permision. I am able to remove the programs but not sure I am getting all. Normal virus scans do not detect anything. I have a dual processor system with AMD mp 2000's, 512mb crucial ram, and scsi, this thing should fly! It is also very slow also at shut down and start up. What type of firewall do you recommend and where do I buy a high speed modem?

This sounds like a case of spyware and trojans, schultzey. The slowness is probably because the junk is either reporting all the sites you visit, or busy sending several thousand Spam emails a day behind your back, or so on.

I take what Yoda calls "the easy path," and suggest that you back up your data, unplug your network cable to keep the worms out, and reinstall WindowsXP while the computer is not connected to your broadband modem. edit: on second thought, just hit this page since you'd be doing a fresh install, and follow both the wormproofing and "Ongoing prevention" suggestions. There are links to some things you'd want to have pre-downloaded and burned to CD for offline use, including Service Pack 2 for WindowsXP (assuming you have WinXP).

Yeah, you can take the hard road if you want, and do battle with the stuff and maybe win, but my method ALWAYS works :evil: and sometimes is faster. If you want to stand and fight, check out Schadenfroh's excellent guide here.

I also recommend getting a home router such as a Linksys BEFSR41 or Netgear RP614, to sit between your broadband modem and your computer(s). They'll firewall your computer(s) from the Internet and the non-stop barrage of worm attacks and script kiddies trying to ha><0r your computer.

If you can handle it, after reinstalling Windows, also make yourself a Limited-class user account and use that for daily-driver stuff. Use the Administrator-class account only when you NEED the elevated priveleges. And don't install software of, shall we say, questionable pedigree.

Hope that helps. If you want further help, I suggest clicking New Topic and make your own thread, that way more people will notice your request.

If you want to be sure, download and post your HijackThis log. This goes for both glowninja and schultzey11 .... but please schultzy .... start your own thread!

You can download HijackThis from
HERE.