Viruses buggered my computer

BloodBath

Hi. Right I downloaded a file and as it was downloading norton detected a virus on it. I cancelled the download and deleted the file but to no avail. It still infected the computer and it turned out there were 2 viruses in the file.

They were W32.Pinfi and W32.Kwbot.worm. Now I managed tyo delete both the viruses but whatever damage they have done is causing my computer to constantly crash. I'm getting a lot of blue screens of death especially while playing games but sometimes just surfing the net.

Two of the errors i've got so far are IRQL_Not_Less_Or_Equal and PFN_List_Corrupt.

Also on boot up a process starts called uninstall.exe that uses up over 90% of the processer. The only way I can stop it is to just end task on start up. I ran MSconfig to see if I could stop it starting in the first place but it doesn't seem to be in the list.

A fresh install of everything is just too much hasstle. I have 120gigs of stuff and I have nothing backed up yet I suppose I could go down and buy a 10 pack of DVD's. Have been meaning to getting around to backing everything up.


Any suggestions?


BloodBath

BloodBath

Seem to have encountered a new problem today also. Any programs that try to access the internet will not connect i.e. steam, kazaa, pokerstars.

Can still connect to the net with i.e. though so it's not my connection.


BloodBath

BloodBath

Attempting to solve the problem now. Information on the two viruses from symantec.

W32.Pinfi is a memory-resident polymorphic virus that will infect the .EXE and .SCR files. This virus can also spread via mapped drives and network shares.

W32.Kwbot.Worm has backdoor Trojan capability, which allows a hacker to gain control of the compromised computer. The worm can update itself by checking for newer versions over the Internet. W32.Kwbot.Worm disguises itself as popular movie, game, or software files, and it attempts to spread across KaZaA file-sharing networks by tricking KaZaA users into downloading the program and opening it.

BloodBath

astrofool

try running adaware or spybot.

Check symantec.com for a security response.

Unless you run a downloaded file, u can't get a virus off it, also norton won't detect a virus till its downloaded completely, its usually spyware you get off the internet also.

BloodBath

Well when norton detected it it said virus detected on download 1848952865(example number). It detected it on the file I was currently downloading, the number matched up. I didn't open the file. I cancelled the download before it was even finished then deleted what had been downloaded.

That's whats pissing me off. I never open files without scanning them first yet I still got infected. I followed the symantec instructions for removing the viruses and it worked except the registry entries were not there to be deleted like it said on the symantec removal instructions.

I run a scan now and nothing is detected except some adware like gator and precission time which are definately not causing these problems. It seems I am still infected with something as new symptoms are showing up like not being able to connect to programs that require the internet.


BloodBath

BoB_BoT

did you delete it with norton or did you send it to the recycle bin? also do you have system restore turned on? if so try and revert back to a stage before the virus fecked ya over or well before you noticed it.

BloodBath

I think I sent it to the recycle bin rob, then emptied. System restore was on but to remove one of the viruses I had to turn system restore off which deleted all previous system saves. So it's only been saved since after I had the virus.


I have all the latest definitions and there seems to be no viruses now. I removed the adware as well so my system is totally clean now. According to norton anyway.

What are the Irql_not_less_or_equal and PFN_list_corrupt errors?

BloodBath

BoB_BoT

the main reference i've seen to it BloodBath is here . Microsoft only say it has something to do with your graphics drivers and direct x compatability. Are you using modded drivers or the standard ones? Either way download the standard drivers from ati's site and see what happens. I've seen the graphics card mentioned as a problem on a couple of german sites and a french one.

Gl,
Rob

BloodBath

The link won't open for me ROb, I'm using the latest ATI drivers. They were working fine. I uninstalled them and reinstalled them but the same problems were occuring.

Wish that was the only problem but from today I can't connect to anything that requires net connection except for internet explorer.

I have changed no settings that could have caused this. Something to do with the virus I feel but neither norton or avg can detect anything. I have no idea what it could be as windows is giving me no indication.

Here is a list of my processes maybe someone else can spot something abnormal.

iexplore.exe
wmplayer.exe
WZQPICK.EXE
NAVAPSVC.EXE
IAANTmon.exe
CTSVCCDA.EXE
CCPROXY.EXE
avgserv.exe
SOUNDMAN.EXE
spoolsv.exe
CCEVTMGR.EXE
CCSETMGR.EXE
taskmgr.exe
svchost.exe
svchost.exe
GMT.exe
SATARaid.exe
svchost.exe
ctfmon.exe
jusched.exe
atiptaxx.exe
svchost.exe
ati2evxx.exe
avgcc32.exe
Isass.exe
ggviewer67-10.exe
services.exe
winlogin.exe
csrss.exe
smss.exe
msmsgs.exe
explorer.exe
CCAPP.EXE
ati2evxx.exe
CMESys.exe
IAAnotif.exe
CTSysVol.exe
opnste.exe
Ymsgr_tray.exe
SAVSCAN.EXE
MsPMSPSv.exe
ezSP_Px.exe
System
System Idle Process (says it's using 95-99% of processor but c.p.u usage at bottom of screen is normal 0-5%)


At the moment it looks like I am going to have to back up as much as I can and do a full format. Gahhhh


BloodBath

Captain Trips

I would say that failing a full scan of Norton and then running Ad-Aware and Spybot S&D, try and avoid backing up stuff to DVD if possible: you might find that you just back up the stuff onto it.

Copy all your save games, you're MP3s are prob okay, but basically it could try and copy itself anywhere.

BloodBath

I'm only copying movies and mp3's and install files which I will scan again before installing. The problem is within windows as far as I can see. Hate having to do this as it's going to take bloody ages. Need about 20 dvd's to back up everything so it won't be too cheap either.


Don't know how I got infected when I didn't even open the file. Wouldn't mind it wasn't even for me. Was downloading something for a friend.


BloodBath

neokenzo

Have you tried running a trojan detection program?

BloodBath

No would Norton or Avg not detect a Trojan? Can you give me the name of a good free Trojan detector?


Hmmm the strangeness continues. Whatever was stopping programs that required a net connection to run is longer doing so as I can now connect again. The whole time this happened I never got a blue screen of death until it came back then I got one almost straight away.

That kwbot.worm was a hacking virus that would have allowed a potential hacker to access my computer. I'm not getting any unusual network activity though but it's possible while the virus was there that a hacker had access to my computer and he could have left something there.


BloodBath

Caliden

nortan detects viruses ( plural of virus?) when im downloading files off kazaa, during the download and doesnt allow me to fully download the infected file,basically as said time and time again, prevention is better than cure so update ur virus scanner

BloodBath

Caliden my virus programs are up to date. I have autoupdate turned on on both of them. As I said earlier, the virus was detected as I was downloading it from Kazaa.


I installed spybot which detects trojans and spyware. It detected and fixed a good few things that Norton or Avg did not pick up.

So I think i'm rid of everything but it did some damage. I will try reinstalling all drivers for the graphics card and mobo and hopefully that will get rid of my blue screens of death.

Things are looking up

Still getting that uninstall.exe starting when windows starts and eating up the processor. Anybody know how to get rid of this. I tried going to MS config but I don't see it anywhere there.


BloodBath

ressem

If you connect this PC to a network then I'd recommend re-installing on the "If a trojan runs on your PC, it becomes trojans PC policy". But doesn't sound like your situation.


For a non-critical home machine, have you considered trying to upgrade/repair the system using your Windows XP CD and then applying service packs, before you resort to starting from scratch.
That should allow you to rule out the windows files as the issue, and not require reinstalls of other programs.

opnste.exe is adware
gmt.exe is gator spyware
cmesys.exe is gator crud

The rest look OK though.

But corrupted exe's can't be ruled out.

For the uninstall problem, if you're careful you can look at
run Regedit.exe
browse to
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and post the contents.
Same for the keys just below Run (RunOnce, RunOnceEx)

Kali

First of all you shouldnt be connecting to the net from a virus-ridden PC. Thats highly intelligent, well done.

But while you're here print the following:
http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html

Complete their instructions on removal (usually a case of some registry edits).. and then do a full and complete virus scan.

BloodBath

I'd appreciate if you read my posts before making smart remarks Kali. The computer is no longer virus ridden. I got rid of them within an hour of getting them.

For a moderator that's a very stupid and unhelpful comment to make.

If you read my posts you would see that I already checked the symantec instructions for removing the viruses and removed them.

Thanks for the help.

Ressem my windows is completely up to date as is everything on my computer. I constantly update all drivers and all virus programs are on auto update. I have service pack one already installed.


The gator and adware programs are also gone now. I used spybot to remove evertything. It was precission time that had gator installed on my computer.

Scans with Avg Norton and Spybot show nothing so my computer is completely free of viruses as I said earlier.


It's the damage they did that i'm trying to fix. Seems to be related to the graphics drivers so a reinstall might help. Will print the registry stuff when I get home tomorrow.


BloodBath

ressem

It's the damage they did that i'm trying to fix.

Yeah I understand that.
What I was poorly trying to suggest was that the viruses or their removal might have damaged some of the system files on your PC,
and before going nuclear and formatting your hard drive,
an upgrade/repair would replace the system files and registry entries on your PC while doing its best to keep the rest of your programs and documents untouched.

The virus removal programs can have problems telling where a trojan stops and the real program starts.

After that you would be required to re-apply the service pack and 17 or so microsoft patches.

You're right though to reapply the drivers, if that's what it looks like to you. I'd also include reapplying directX9b as the symptoms would be the same.

One thing though... are your sure that running 2 virus killers simultaneously is a good idea? Usually they use windows API hooks to catch the file-created event and there might be a race condition issue between the two to test and quarantine/delete the file. (delete forbidden when other program is reading the file).

Not to mention killing the performance of your nice new PC.

patch

If your going to format, you may as well partition the drive and take a ghost image.
It's a simple enough procedure and will save you having to go through all this again.

BloodBath

Cheers for the help Ressem I will try that when I get home and post up the registry.

Patch I have 2 x 120gig samsung drives running RAID 0. Will it be easy to partition and make a ghost image with this? I have used up just over half of the available drive space.

Would it not be easier to make a partition and install windows on it then transfer my files to the new partition. I wouldn't be able to play the installed games if I did this though would I as I don't have the cd's to reinstall some of them. If I ghosted it though I would be able to right?

Could I then remove the partition and delete all the old data?

neokenzo

You wont have any problem imaging your hdd using ghost. However, it would compress between 60% to 70% only. So your still looking at rather large image. Also, after you have image your drive, check the integrity of your image. You dont want to remove your array only to find out you cant restore your image. Only run imaging program from DOS and not from Windows.

One thing you should keep in mind is that if you havent resolve you virus/trojan problem, when you image you hdd, you will be copying the virus/trojan as well.

ressem

careful:
http://service1.symantec.com/SUPPORT/ghost.nsf/docid/1999010613522725&src=w
# Ghost does not work with software level RAID.
# Although Ghost might work in some limited circumstances with hardware level RAID, Symantec does not support using Ghost for cloning hardware level RAID drives.

New versions of partition magic are meant to deal with hardware raid.

ressem

Something I saw in a boards\..\opsys\windows post, that I hadn't come accross before.

Obviously it's not the best solution in the long term and you should try to find out what is causing the system failure if you can. Go to START Run and enter: SIGVERIF.EXE. This will list all the unsigned device drivers on your computer.

It'll include acrobat and similar bits and pieces, but your graphics and multimedia drivers should be signed and not be listed if you're not using betas. Anything here has the ability to cause problems.