PDA

View Full Version : I have a worm that I cannot clear. (Ideas?)



Waldo.Pepper
02-02-2007, 05:02 PM
I don't know the name of it.

Will not allow safe mode. Gives me a stop error. WinXP SP2 will boot normally.

It has rendered AVG useless I have uninstalled AVG and keeps me from reinstalling it, with following error;


Local machine: installation failed
Installation:
Error: Action failed for file avgamsvr.exe: creating file....
No such file or directory

Ccleaner has been run, successfully, without success.

Trend Micro online scanner runs for a while then gets shut down by itself!

Hijack this shows nothing untoward.

I have a folder that is empty that I cannot delete, even using something like Killbox.

Doing a repair install of XP will of course not clear the bug/worm.

So any ideas, other than fdisk/format/reinstall?

Also ran Adaware without resolution.

Waldo.Pepper
02-02-2007, 05:02 PM
I don't know the name of it.

Will not allow safe mode. Gives me a stop error. WinXP SP2 will boot normally.

It has rendered AVG useless I have uninstalled AVG and keeps me from reinstalling it, with following error;


Local machine: installation failed
Installation:
Error: Action failed for file avgamsvr.exe: creating file....
No such file or directory

Ccleaner has been run, successfully, without success.

Trend Micro online scanner runs for a while then gets shut down by itself!

Hijack this shows nothing untoward.

I have a folder that is empty that I cannot delete, even using something like Killbox.

Doing a repair install of XP will of course not clear the bug/worm.

So any ideas, other than fdisk/format/reinstall?

Also ran Adaware without resolution.

ZappaTime
02-02-2007, 05:15 PM
Sounds like a tricky customer.
I assume Windows restore will not get rid either, these sometimes infect the restore files and you have to clear it and turn off restore for a virus checker to then get rid of it the restore files.

I can only suggest Mcafee's online virus scan, or there's an outside chance Spybot may get rid of certain things, this worm has clearly done quite a bit.

Mcafee or Norton antivirus (Symantec?)often have instructions and tools on their sites to remove such stuff if you know its name.

Sorry can't give any more specific help. Good luck.
Z

flox
02-02-2007, 06:00 PM
Windows Defender maybe?

MadRuski
02-02-2007, 06:03 PM
yep indeed, try Spybot
http://www.spybot.com/en/download/index.html

AKA_TAGERT
02-02-2007, 06:07 PM
hot tea with lemon and a teaspoon of sugar

WarWolfe_1
02-02-2007, 06:10 PM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by MadRuski:
yep indeed, try Spybot
http://www.spybot.com/en/download/index.html </div></BLOCKQUOTE>

That should do the trick.

If not, I would use a heavy duty hammer drill or blow torch http://forums.ubi.com/images/smilies/16x16_smiley-happy.gif

Jaws2002
02-02-2007, 06:15 PM
I doubt Spybot will do it. but it won't kill you to try. i have both Spybot and adaware.

Try the Kaspersky free trail antivirus. I was able to get read of a worm the same way about a year ago.
I don't say is much better then other antivirus software it just worked for me. Is worth a try.
I think you should disable system restore while you run the antivirus.

Waldo.Pepper
02-02-2007, 06:16 PM
I downloaded spybot and tried to install it.
This is what it does.
I checked the option to update automatically, then run the program on closing the install routine.

I AM AMAZED AT WHAT HAPPENED NEXT!

Spybot did not start, so I reran the install. Same thing - nothing.

So I opened up the program files/spybot folder and watched while I ran the install yet again.

The spybot exe file was deleted before it could be executed! I SAW IT HAPPENING! I watched it.

Ewido is prevented from saving updated files.

I think I am screwed.

Watch out! Before it gets you too!

Monterey13
02-02-2007, 06:16 PM
Try this...http://vil.nai.com/vil/stinger/

McAfee AVERT Stinger
Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

Cuendillar
02-02-2007, 06:18 PM
I have had the same problem a couple times. I use HijackThis! and CCleaner to determine which .dll & .ini file is causing the problem. Usually it is located in the Windows/system folder. The .dll and .ini files are usually reverse named (e.g. one will be ixit.dll and the other tixi.ini). Once you identify the suspect file, use Vundo Fix to eliminate it. In short, the .dll is loaded into the upper memory (TSR) and even if you eliminate it, a reboot brings the problem back. Without eliminating the .dll AND the .ini file, it will just keep popping up over and over. None of the virus scanners I have used will catch malware items. Spybot can, on occasion, but every time you eliminate it without getting ridding of the resident .dll, it replicates and renames itself so you have to track it all down again.
Even better, all of the above programs are freeware.

stelr
02-02-2007, 06:31 PM
Concur with Cuendiller.

Whenever I have had a nasty worm or trojan, I have found the old Computer Cops (now called Castle Cops) site to be very helpful. These guys (forum admins) will take you through a clean-up step-by-step and check your work every step of the way, until the problem is solved.

Great site here-----&gt;http://www.castlecops.com/

AKA_TAGERT
02-02-2007, 06:42 PM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Waldo.Pepper:
I downloaded spybot and tried to install it.
This is what it does.
I checked the option to update automatically, then run the program on closing the install routine.

I AM AMAZED AT WHAT HAPPENED NEXT!

Spybot did not start, so I reran the install. Same thing - nothing.

So I opened up the program files/spybot folder and watched while I ran the install yet again.

The spybot exe file was deleted before it could be executed! I SAW IT HAPPENING! I watched it.

Ewido is prevented from saving updated files.

I think I am screwed.

Watch out! Before it gets you too! </div></BLOCKQUOTE>yikes!
sounds like it is time to re-format?
Or try burning Spybot to a CD and install it from the CD.. than it can not delete the exe

Waldo.Pepper
02-02-2007, 06:42 PM
Thanks guys, I had already searched castle cops (nothing there that fits my case).

I have not posted yet.

So far ALL on line scanners are being crippled by this little bugger. Most recently the Symantic one tells me I have activeX turned off or I am running IE 5! (wrong on both counts! ActiveX is on and I ran it in IE 6)

Sophisticated beast! I shall not be giving up and reinstalling. I am pissed off now!

I may be making some progress giving this thing a name though EWIDO has remained running. Fingers crossed.

Woof603
02-02-2007, 07:18 PM
I've had success with AVG support, also CastleCops. Suggest you post on their forums. Protonic.com has also been very helpful.

jetsetsam
02-02-2007, 07:19 PM
Just a thought from a neat freak.

Have you cleaned out your registry lately?

Maybe something has been lodged in there that the usual sweepers don't check for.

JV16 Powertools is great. You can get a month free trial from here:

http://www.macecraft.com/jv16powertools2006/

It can also deal with Startup programs (and maybe worms).

Pirschjaeger
02-02-2007, 07:51 PM
Have you considered the time you've lost trying to deal with this, and so far invain? http://forums.ubi.com/images/smilies/compsmash.gif

Life is too short and nerves are too few Waldo.

I used to do like a lot of guys and run all sorts of anti-virus, anti-worm, anti-this, and anti-that programs. Every program mentioned in this thread, accept one, is just a bad memory to me. Wasted time and frustrations.

So, one day I thought about it. Why do I need an anti-virus program? If I have a good firewall and a failsafe plan I'd save a lot of time and nerves.

My logic goes something like this; it's only logical that a promotional program or free program are the only one's to trust. They must be good for various reasons. I spent a lot of money on programs like Norton.

I install windows to C: partition. When ever possible, I install all programs, accept for games, in D:. Games are installed on E: and F: is left for saved files.

It seems logical to me that the less folders and files on C: the faster and smoother windows can run. I install the free version of Zone-Alarm before I even connect to the net. I run AdAwareSe evry few days or immediately after a surfing session. I keep all my drivers and programs, including XP, in one place as a package.

I live in China, the world's most virus and worm infected net. So I expect I'll have viruses and worms, some even sponsored by the government. Sounds a little "conspiracy theory" but I actually know the guy that designs these for the "Public Security Bureau". I give him a hard time about it too. http://forums.ubi.com/groupee_common/emoticons/icon_biggrin.gif

If I get or suspect a virus or worm I simply reinstall. I lose an hour of my time but I don't get frustrated in the least. I can reinstall everything in just under 1 hour, that includes formatting C: and D:.

Funny thing is, I don't get as many viruses or worms as I used to when I had a complete army of programs designed to keep me "safe". I also spend many hours (minimum 2 per day) surfing the web for my research.

In my opinion, anti-virus programs are simple the Emperor's clothing or at least a novelty.

BTW, on average, I get about three months of peace and serenity with my pc before I have to spend an hour for a fresh install. Think outside the box. If you follow sheep you will often step in sheep dip.

Anyways, just a piece of alternative advice.

PFflyer
02-02-2007, 08:38 PM
OK, I work on computers for a living, fixing stuff like this, and I am going to give you a method that not too many use but is very powerful.

Take your hard-drive out and install it as a slave in a good computer that has Spybot S&D, AdAware and an updated trial version of Panda antivirus installed.

Then just run the spyware and virus scanners on the hard-disk and it will clean a lot of stuff off, not all maybe because it's OS is not running, but it will clean it enough for you to install it back in the computer and run the anti-virus/spy programs.

Make sure you save or print out a log of everything the spy/virus programs find, because after they are done you are going to start in safe mode and run regedit and get rid of all the entries that do not belong there.

This method of having the HD in another computer, scanning it with another computers OS, will also let you waltz right into and look at, and remove any suspicious files that are in programs or winnt.

IN the future, make a small, maybe 15gig partition just for your OS, and install all your important programs and info on a partition separate from it, that way you can wipe it out anytime you want to, reinstall your OS and not lose all your stuff or have to back it up on disks.

You can use the Nlite program to make a new windows xP disk that has all your drivers for your MB and hardware already on it! And also you can have all the latest XP updates you want integrated into it, so when you do reinstall XP, you do not have to mess around with updating it and installing separate driver disks.

Good luck.

DKoor
02-02-2007, 09:41 PM
The only real anti virus program that consumes almost nothing (especially compared to the others) is NOD32. That program is brilliant piece of software updated every few hours (automatic updates).

It's a top prog.

About deleting .EXE's just try what TAGERT said, start it from CD. That worm cannot delete it from CD. Also one other things; have you tried to identify it via Windows Task Manager processes?
If something looks fishy to you, just type it in the google and it usually instantly gives you an answer about process.
For instance APING.EXE is Hyperlobby exe etc.

<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by PFflyer:
IN the future, make a small, maybe 15gig partition just for your OS, and install all your important programs and info on a partition separate from it, that way you can wipe it out anytime you want to, reinstall your OS and not lose all your stuff or have to back it up on disks. </div></BLOCKQUOTE>This is great advice, everyone should do this. Backing up is done within 10mins. if no other solution works.
Time & nerves = saved.

jarink
02-02-2007, 10:07 PM
I'll go along with what PFflyer said about putting the drive in another computer for cleaning. I do the same thing every so often at work.

Pirch, that's an interesting theory, but it's surely not for everyone, especially novices. I've done something similar for going on 12 years now, keeping my OS on one physical drive and all my data on another. It makes upgrading to a new PC easier, too! As long as you keep good backups, that's actually one of the best and easiest ways of safeguarding your OS.

Instead of reinstalling, though, I'd suggest using disk-imaging software like Norton Ghost to back up a 'good' install complete with drivers and Windows updates. That method usually only takes minutes for a recovery and a lot less work since you don't have to reinstall and configure everything!

As for thinking "outside the box" I've recommended to several people that they use a virtual machine for browsing. There are free programs available, including a nice one from VMWare with several preconfigured (Linux) VMs available for download. Note that running Windows in a VM will require it's own license. Interestingly, MS recently released a frewe, but time-bombed VM of XP specifically for running IE6 (for backwards-compatibility on machines that have IE7 installed). The IE7 team has hinted they may release a new one when this one expires.
Internet Explorer 6 Application Compatibility VPC Image (http://www.microsoft.com/downloads/details.aspx?FamilyId=21EABB90-958F-4B64-B5F1-73D0A413C8EF&displaylang=en)
It's a 495MB download. You also need MS Virtual PC 2004 (http://www.microsoft.com/downloads/details.aspx?FamilyId=6D58729D-DFA8-40BF-AFAF-20BCB7F01CD1&displaylang=en) , which is also a free download. Supposedly it will not run on XP Home, but I have heard of many people doing so with no problems.)

Your VM gets infected? Delete the VM's hard drive file(s) and start a fresh copy. Some, like MS Virtual PC, also have "undo disks" that allow you the option of saving file changes at the end of your session. Get infected? Don't save the changes.

Xiolablu3
02-03-2007, 04:58 AM
I also work with computers and I would go with the reformat, as you can be sure that you will be rid if it for sure.

If you have stuff on the Harddrive that you need, then copy it to disc before you format.

I have all my stuff on one DVD so that I can reformat, have windows installed and all my stuff back on in an hour.

This option will have it done in 2-3 hours, whereas trying to get rid of it could take you weeks.

Also : I agree with Pircsh, I only use a firewall and a little prog (250k)called 'startup monitor' (Check it out Pirsch). I never use AV progs. I think I have caught a couple of viruses in the 5 years I have been computing, thats it. Both of those times I reformatted. Common sense and a good firewall work wonders.

Startup monitor :-

http://www.mlin.net/StartupMonitor.shtml

(tells you if something is trying to change your startup files and lets you stop it from doing that)

BaldieJr
02-03-2007, 06:02 AM
Dude, if you have a worm, GET OFF THE INTERNET.

Sheesh. Do you go to work when you're sick too?

TAW_Oilburner
02-03-2007, 06:47 AM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Xiolablu3:
I also work with computers and I would go with the reformat, as you can be sure that you will be rid if it for sure.

If you have stuff on the Harddrive that you need, then copy it to disc before you format.

I have all my stuff on one DVD so that I can reformat, have windows installed and all my stuff back on in an hour.

This option will have it done in 2-3 hours, whereas trying to get rid of it could take you weeks.

Also : I agree with Pircsh, I only use a firewall and a little prog (250k)called 'startup monitor' (Check it out Pirsch). I never use AV progs. I think I have caught a couple of viruses in the 5 years I have been computing, thats it. Both of those times I reformatted. Common sense and a good firewall work wonders.

Startup monitor :-

http://www.mlin.net/StartupMonitor.shtml

(tells you if something is trying to change your startup files and lets you stop it from doing that) </div></BLOCKQUOTE>

Amen. You'd also be done by now.

There are many worms/viruses that are memory resident and affect any .exe when it's launched (so the whole OS on one drive progs on another is rendered pointless). I just nuked a game server because somebody was using a cracked exe for call of duty server which was infected. Every time any exe was run on this machine it became infected also...nasty stuff.

Pirschjaeger
02-03-2007, 06:57 AM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Xiolablu3:
I also work with computers and I would go with the reformat, as you can be sure that you will be rid if it for sure.

If you have stuff on the Harddrive that you need, then copy it to disc before you format.

I have all my stuff on one DVD so that I can reformat, have windows installed and all my stuff back on in an hour.

This option will have it done in 2-3 hours, whereas trying to get rid of it could take you weeks.

Also : I agree with Pircsh, I only use a firewall and a little prog (250k)called 'startup monitor' (Check it out Pirsch). I never use AV progs. I think I have caught a couple of viruses in the 5 years I have been computing, thats it. Both of those times I reformatted. Common sense and a good firewall work wonders.

Startup monitor :-

http://www.mlin.net/StartupMonitor.shtml

(tells you if something is trying to change your startup files and lets you stop it from doing that) </div></BLOCKQUOTE>

Someone once told me that if I want to reformat and be ueber-sure, then use Linux to reformat and erase partiotions before reformatting with Windows and creating partitions. Do you think there's any truth to this? TBH, it seems logical enough to me.

Thanks for the link. I'll check it out. http://forums.ubi.com/images/smilies/25.gif

Funny thing, when I had all those AV programs I used to get viruses often. Since I stopped using them I don't get viruses anymore. Strange but true.

Now I know what some readers will think: "He still gets viruses but doesn't know it.".

Wrong, I knew it before because my pc acted like and 80 year old eating 5 pounds of cheese. It would become very slow and disagreeable.

Since losing the AV programs my pc is fast, reliable, and stable. If my pc runs better with viruses, bring'em on. http://forums.ubi.com/groupee_common/emoticons/icon_biggrin.gif

After 2 or 3 months, if my pc does anything out of the ordinary, I waste no time and simply reinstall. 1 hour later I'm back to surfing or gaming.

JG52Uther
02-03-2007, 07:19 AM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Instead of reinstalling, though, I'd suggest using disk-imaging software like Norton Ghost to back up a 'good' install complete with drivers and Windows updates. That method usually only takes minutes for a recovery and a lot less work since you don't have to reinstall and configure everything! </div></BLOCKQUOTE>
BIG +1 to this.

GerritJ9
02-03-2007, 08:06 AM
I had something similar a few weeks ago- I run W2000 Pro as my normal OS with a Russian-language XP Pro as dual-boot. First I could not log on to W2000, so I carried out scans with AdAware, Spybot S&D and Antivir from XP, which would start initially- nothing. Then used Symantec online scanning- nothing. Other online scans-nothing. Since it was late I rebooted just to see if anything might have improved before going to bed- now I could not even start up W2000, only XP. Next morning not even XP would start- the boot manager would not react to any command. Emergency diskette did not help, nor did trying to repair using the Windows CDs. In the end I had no alternative but to carry out a complete re-install after wiping the hard disc with East-tec disc sanitizer. Fortunately I make backups regularly of my most important files so I only lost about a week's e-mails. Since then I have created a BartPE emergency CD so at least I will be able to make backups of my most recent files should it be necessary at any point in the future.

RedToo
02-03-2007, 09:16 AM
Try CounterSpy works for me:

www.sunbelt-software.com/ (http://www.sunbelt-software.com/)

RedToo.

sunflower1
02-03-2007, 10:58 AM
Just for fun, give SUPERAntispyware a shot. You can get it at SUPERAntispyware.com, imagine that. The fellow at the local computer shop turned me onto it, he's found that it will remove quite a few things that normally require manual work.

Waldo.Pepper
02-03-2007, 02:35 PM
Thanks for trying everyone.
I do this for a living too btw (a meagre one these days - but still) ... a little update fyi.

In the end I reformatted - not by choice.

I tried a repair install (not recovery console - but a repair install)

Symantec found nothing.
Ewido found nothing (even after I updated.)
Spybot was precluded from running as was safe mode.

It is not so bad in the end I lost nothing (data wise) but time).

I am left with a fresh install of XP, so that's a happy ending of sorts.

I figured some of you may have heard of the bug that kills off safe mode, if you had not heard, then you have now. Good luck if you get it.

badatit
02-03-2007, 06:10 PM
You might want to look into some sort of back up software (windows system restore is a joke/resource hog).
Ghost 7.0 or something similar. Be sure.

Waldo.Pepper
02-03-2007, 10:19 PM
I lost nothing. All was already backed up.

DKoor
02-03-2007, 10:53 PM
Acronis True Image is one of the best as far as backing up stuff is concerned. A lot of options, interface etc. all highest grade stuff.

PBNA-Boosher
02-04-2007, 12:07 AM
Have you tried shutting off the internet connection completely before attempting to destroy the virus/worm? Many of these worms need to have internet access to work, and while it sounds like yours doesn't, it might work.

Waldo.Pepper
02-04-2007, 01:13 AM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by PBNA-Boosher:
Have you tried shutting off the internet connection completely before attempting to destroy the virus/worm? Many of these worms need to have internet access to work, and while it sounds like yours doesn't, it might work. </div></BLOCKQUOTE>

Yup! Tried that! I pulled the plug on the router and killed internet access, save for one computer that I kept isolated to surf and research.

Only the one computer in my home was affected. Still don't know what worm/trojan/bug it was.

It was an extremely nasty critter. I haven't run in to anything this malicious in over ten years when the big bug back then was spacefiller!

Xiolablu3
02-04-2007, 04:12 AM
Was there nothing in MSconfig/STartup whihc looked strange?

It does sound like a nasty one.

Monterey13
02-04-2007, 06:44 AM
So, now that it's fixed, which porn site should we avoid to keep from getting it? http://forums.ubi.com/images/smilies/icon_twisted.gif http://forums.ubi.com/images/smilies/88.gif http://forums.ubi.com/images/smilies/88.gif

Waldo.Pepper
02-04-2007, 02:46 PM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Monterey13:
So, now that it's fixed, which porn site should we avoid to keep from getting it? http://forums.ubi.com/images/smilies/icon_twisted.gif http://forums.ubi.com/images/smilies/88.gif http://forums.ubi.com/images/smilies/88.gif </div></BLOCKQUOTE>

Its just a bit of harmless fun! I swear!

http://www.muttonbone.com/

-HH- Beebop
02-04-2007, 03:24 PM
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Waldo.Pepper:
Its just a bit of harmless fun! I swear!

http://www.muttonbone.com/ </div></BLOCKQUOTE>

<span class="ev_code_red">O M G !</span> http://forums.ubi.com/images/smilies/disagree.gif http://forums.ubi.com/images/smilies/10.gif