Has anyone seen this type of virus?

[The Gorn]

A virus that knocks down Task Manager and RegEdit?

IE: you run Task Manager and the screen flashes up for up to a couple of seconds, then closes. Same with Regedit. The intent appears to be to prevent users from diagnosing their computer virus problem.

I ran into this on a client's computer yesterday. When I ran Task Manager and was able to get to the "processes" tab for a second before it closed, I could see the just-booted computer SWIMMING with processes with weird names.

This was a computer that normally reliable AVG Anti Virus had just scanned (with up to date virus definitions) and reported clean.

I told the client that they'd better plan on formatting the HD and reinstalling Windows.

[boty]

Arrrggghhh!

Reformat and reload is not the answer. It will just happen again! Yes, there are viruses/spyware/trojans that will kill taskmgr, msconfig, regedit, anti-virus and firewall programs. They also infect the hosts file and redirect all attempts at updating said software. These are not always classified as viruses and so are not found by anti-virus programs.

First - Download and install AdAware (www.lavasoftusa.com) and update it.
Second - Download and install Spybot Search & Destroy (security.kolla.de) and update it.
Second and 1/2 - disable System Restore.
Third - Boot to safe-mode. Run full scans using the above and delete all found. Safe-mode is required to be able to delete items that may be running in regular mode. With Spybot, choose the 'immunize' function first.
Fourth - Check the hosts file (for XP - c windows\system32\drivers\etc\hosts). Delete anything other than the first non-commented line (127.0.0.1   localhost). Scroll *all* the way down (some like to hide at the bottom).
Fifth - While scans are running, run MSConfig and remove any suspect processes from startup.

*Whew!*

Boot back to normal mode, turn System Restore back on.

Re-enable taskmgr:

www.kellys-korner-xp.com/...anager.reg

Check this link:

securityresponse.symantec...sta.a.html

This is only one of several that disable tools we need. There are many more.

Good luck!

Bob Tyler...
Tyler Systems

[The Gorn]

Thanks for the tips, Bob.

This was a home user so (even tho they had a $500K+ home and dripping wealth in other ways) I feel under time pressure to justify missteps. IE, what if I fixed THIS virus then find other viral behavior?

I realize that the problem "should" be repaired but if I am not certain I can succeed to the extent required to bill the customer, I will not do it... If they want to let their Norton AV subscription expire, they won't learn why a firewall is needed, they run peer to peer file sharing, and they click on every !@^* piece of crap that pops up, then it's going to reappear anyway.

Whereas I am dead certain I can reinstall Windows and get paid for all of my time.

But thanks anyway! You confirmed the b@stardly nature of these viruses. Incredible.

[JBB]

You might also want to download and install CWShredder and HiJackThis.  AdAware and Spybot don't get everything.

[The Gorn]

I know and am best friends with Cool Web Shredder, thanks. This bug isn't Cool Web Search. I believe it's a rather nasty trojan with "polymorphic" (mutating) properties.

Oh well, it's a home user and they want to know if they should just buy another pc... right.  

Personally I'd take their PC as it is now, tie a rather large rock to it, and take it to my favorite local marina for a depth sounding. It's that nasty.

My issue is, how much do I attempt before telling the customer that the problem is unfixable? If I exercise "professional integrity" and try to make it good I could be in for a ton of unbillable time. And they don't care if it's a tough business, you can believe that.

Making a business out of this sh*t is tough.

[JBB]

I have friends locally in the same line of work you're pursuing.  In their business they find it is often faster to just reimage the PC than to try and find exactly what the problem is.  I don't know if that's something that would work for you in this case or not.  Obviously, you would want to preserve the user's data / files...so...not sure if that way of approaching it is one you want to fuss with.

[The Gorn]

I could toast three hours or more trying different things that don't help. The experience I had last week culminated in that judgement of the situation.