Does Anyone Recognize These Symptoms? A Call for Help!

[Randy Yates]

This is from memory (on my home PC), so caveat. This is under Win2K.

1. The registry's /hkey_current_user/Microsoft/Windows/Startup/Run directory is empty.
Instead, there is a .../Run- directory with my normal startups present.

2. When deleting registry entries using HijackThis, they re-appear immediately
as a rescan shows.

3. No strange processes show up in Task Manager, however HijackThis finds vruwuu.

4. Get this: I get the Blue Screen of Death(TM) when attempting to boot Windows
into Safe Mode.

5. Using the Console Repair facility of the Win2k install disk, listsvc shows
services that aren't listed when the services GUI application under normal
run-time Windows is invoked, e.g., "delprot".

6. I have two physical hard drives C and E. Reinstalling Win2k (without reformatting) resulted
in Win2k being installed on my E drive. Rebooting with a CD in the tray, but choosing not
to boot from it, boots the E drive Win2k, so that my old E drive becomes my C drive and
vice versa. If I boot without the CD in the tray, the system comes up the old way.

7. At least some of the above symptoms have remained after doing a Windows reinstall (without
reformatting) and a full scan and clean with Norton Antivirus.

8. Accesses to Symantecs site are being redirected to dummy duplicates.

Help! Does this sound familiar? If so, please let me know what I've got and how
to get rid of it.

 

[Randy Yates]

Couple more things:

1. Disabling delprot (and every other service that wasn't listed in my fresh
"E drive" windows install) doesn't help - symptoms come back.

2. I'm finding a lot of ADSs using HiJackThis.

3. HiJackThis is finding things in my registry that aren't visible when I
examine it with regedt32.

--Needing Help

 

[Ian JP Kenefick]

This is from memory (on my home PC), so caveat. This is under Win2K.

1. The registry's /hkey_current_user/Microsoft/Windows/Startup/Run directory is empty.
Instead, there is a .../Run- directory with my normal startups present.

Yes - I have this also. I remove the newset version MediaAccess
spyware from the computer though. This comprises of a trojan
downloader and another executable which monitors the spyware. If you
attempt to remove its reg keys it will replace itself.

2. When deleting registry entries using HijackThis, they re-appear immediately
as a rescan shows.

There is a process which enumerates running processes and monitors the
registry. If the key for it it not present then it will add itself
again and again and again.....

3. No strange processes show up in Task Manager, however HijackThis finds vruwuu.
Bingo!

4. Get this: I get the Blue Screen of Death(TM) when attempting to boot Windows
into Safe Mode.

Microsoft Antispyware was updated recently. This terminates both
processes (the malware itself and the process which enumerates others)

5. Using the Console Repair facility of the Win2k install disk, listsvc shows
services that aren't listed when the services GUI application under normal
run-time Windows is invoked, e.g., "delprot".

Kinda like delete protection....

6. I have two physical hard drives C and E. Reinstalling Win2k (without reformatting) resulted
in Win2k being installed on my E drive. Rebooting with a CD in the tray, but choosing not
to boot from it, boots the E drive Win2k, so that my old E drive becomes my C drive and
vice versa. If I boot without the CD in the tray, the system comes up the old way.

7. At least some of the above symptoms have remained after doing a Windows reinstall (without
reformatting) and a full scan and clean with Norton Antivirus.

8. Accesses to Symantecs site are being redirected to dummy duplicates.

Deleting the hosts file from <system>/drivers/etc/ will cure this
temporarily.

Install and update MS Antispyware to remove this threat. It worked for
me fine.

P.S. There is a picture on the weblog of my website.
--

Regards,
Ian Kenefick
Got a virus?
Go to www.ik-cs.com > 'Got a virus?'

 

[Randy Yates]

Yes - I have this also. I remove the newset version MediaAccess
spyware from the computer though. This comprises of a trojan
downloader and another executable which monitors the spyware. If you
attempt to remove its reg keys it will replace itself.

Well I'm confused. Is this or is this not a valid Windows configuration?
If it is not, then doesn't that mean that something is hijacking my system
and running the processes in the Run- branch?

There is a process which enumerates running processes and monitors the
registry. If the key for it it not present then it will add itself
again and again and again.....

And what process would that be?

By the way, I think this would be a good time to reveal that I've found that
there is a way for a process to run under a different name, so that one of
the benign-looking windows processes (e.g., svchost) is actually a malware
service.

Bingo!

Bingo what?

Microsoft Antispyware was updated recently. This terminates both
processes (the malware itself and the process which enumerates others)

How does that repair a BSOD in Safe Mode?

Kinda like delete protection....

What exactly is "delete protection"? I could fathom that it refers to the
process that reinstalls, e.g., the registry branches whenever they're deleted.
Is that it?

The problem with that theory is that I disabled that process using the
Console Repair facility but the problem persists. Does the virus have a
way to run a service even when it is disabled?

Note also that I couldn't see this service in the services applet. Is
it hiding itself somehow?

By the way, is there any way to get a complete list of all services on a running system,
even hidden ones?

Deleting the hosts file from <system>/drivers/etc/ will cure this
temporarily.

What is the hosts file?

Install and update MS Antispyware to remove this threat. It worked for
me fine.

OK, thanks. I'd kinda like to know what's going on in the internals, though.
--
% Randy Yates % "Midnight, on the water...
%% Fuquay-Varina, NC % I saw... the ocean's daughter."
%%% 919-577-9882 % 'Can't Get It Out Of My Head'
%%%% <[email protected]> % *El Dorado*, Electric Light Orchestra
http://home.earthlink.net/~yatescr

 

[Ian JP Kenefick]

Well I'm confused. Is this or is this not a valid Windows configuration?
If it is not, then doesn't that mean that something is hijacking my system
and running the processes in the Run- branch?

You can safely remove run- branch - It will not affect your computer.

And what process would that be?
MediaAccK.exe


Bingo what?

Randomly generated name - most probably malware...

How does that repair a BSOD in Safe Mode?

If the BSOD is caused by this malware that is... If not run ASR

What exactly is "delete protection"? I could fathom that it refers to the
process that reinstalls, e.g., the registry branches whenever they're deleted.
Is that it?

I was guessing that was what 'delprot' stood for.

The problem with that theory is that I disabled that process using the
Console Repair facility but the problem persists. Does the virus have a
way to run a service even when it is disabled?

Note also that I couldn't see this service in the services applet. Is
it hiding itself somehow?

By the way, is there any way to get a complete list of all services on a running system,
even hidden ones?

This is not a virus. This is spyware. No, this is not a service - well
not my example anyways.

What is the hosts file?

Google is your friend....

The short answer is that the Hosts file is like an address book. When
you type an address like www.yahoo.com into your browser, the Hosts
file is consulted to see if you have the IP address, or "telephone
number," for that site. If you do, then your computer will "call it"
and the site will open. If not, your computer will ask your ISP's
(internet service provider) computer for the phone number before it
can "call" that site. Most of the time, you do not have addresses in
your "address book," because you have not put any there. Therefore,
most of the time your computer asks for the IP address from your ISP
to find sites.

OK, thanks. I'd kinda like to know what's going on in the internals, though.

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
--

Regards,
Ian Kenefick
Got a virus?
Go to www.ik-cs.com > 'Got a virus?'

 

[Randy Yates]

[...]

What is the hosts file?

The short answer is that the Hosts file is like an address book. When
you type an address like www.yahoo.com into your browser, the Hosts
file is consulted to see if you have the IP address, or "telephone
number," for that site. If you do, then your computer will "call it"
and the site will open. If not, your computer will ask your ISP's
(internet service provider) computer for the phone number before it
can "call" that site. Most of the time, you do not have addresses in
your "address book," because you have not put any there. Therefore,
most of the time your computer asks for the IP address from your ISP
to find sites.

Oh, so you mean the hosts file simply allows the browser to avoid
a DNS lookup?

By the way, after running MS Antispyware (name?), the problems in
the registry STILL persist. Something is STILL copying stuff
back in after I delete it from the registry. However, popups
seemed to have stopped.

 

[Ian JP Kenefick]

By the way, after running MS Antispyware (name?), the problems in
the registry STILL persist. Something is STILL copying stuff
back in after I delete it from the registry. However, popups
seemed to have stopped.

Have you updated definitions?

--

Regards,
Ian Kenefick
Got a virus?
Go to www.ik-cs.com > 'Got a virus?'

 

[Randy Yates]

Have you updated definitions?

Yes.

 

[Ian JP Kenefick]

Yes.

What database number are you at?
--

Regards,
Ian Kenefick
Got a virus?
Go to www.ik-cs.com > 'Got a virus?'

 

[Randy Yates]

What database number are you at?

xx99. (5799?) Can't remember - I'm at work.

 

[Randy Yates]

xx99. (5799?) Can't remember - I'm at work.

5699.

One more piece of data possibly related to this malady. The winlogon
process seems to be corrupted. It has infrequently but conspicuously
evoked the BSOD since the other symptoms began last week. I also have
been getting messages like "Winlogin - invalid [or unexpected] entry
point" or some such occasionally.
--
% Randy Yates % "Though you ride on the wheels of tomorrow,
%% Fuquay-Varina, NC % you still wander the fields of your
%%% 919-577-9882 % sorrow."
%%%% <[email protected]> % '21st Century Man', *Time*, ELO
http://home.earthlink.net/~yatescr

 

[Dave Budd]

One more piece of data possibly related to this malady. The winlogon
process seems to be corrupted. It has infrequently but conspicuously
evoked the BSOD since the other symptoms began last week. I also have
been getting messages like "Winlogin - invalid [or unexpected] entry
point" or some such occasionally.

Get a virus scanner you can run from the command line and boot
to SafeModeWithCommandPrompt and scan C:\WINDOWS

 

[Randy Yates]

One more piece of data possibly related to this malady. The winlogon
process seems to be corrupted. It has infrequently but conspicuously
evoked the BSOD since the other symptoms began last week. I also have
been getting messages like "Winlogin - invalid [or unexpected] entry
point" or some such occasionally.

Get a virus scanner you can run from the command line and boot
to SafeModeWithCommandPrompt and scan C:\WINDOWS

You probably missed my first or second post in which I stated that
I cannot boot to safe mode (neither the GUI version nor the command
prompt version). I get a BSOD. Normal windows mode works fine.

Could I perform this function just as effectively by inserting another
hard drive with Win2k on it, booting from it, and scanning my
original drive (as, e.g., a "d:" drive)?

 

[Dave Budd]

One more piece of data possibly related to this malady. The winlogon
process seems to be corrupted. It has infrequently but conspicuously
evoked the BSOD since the other symptoms began last week. I also have
been getting messages like "Winlogin - invalid [or unexpected] entry
point" or some such occasionally.

Get a virus scanner you can run from the command line and boot
to SafeModeWithCommandPrompt and scan C:\WINDOWS

You probably missed my first or second post in which I stated that
I cannot boot to safe mode (neither the GUI version nor the command
prompt version). I get a BSOD. Normal windows mode works fine.

I did indeed miss that post

Could I perform this function just as effectively by inserting another
hard drive with Win2k on it, booting from it, and scanning my
original drive (as, e.g., a "d:" drive)?

The scan is much more likely to find the problems that way. Not
many people are comfortable with the drive swapping though, so
it's rarely recommended here. Don't forget you have to change
which drive is master and which is slave.

 

[Randy Yates]

Dave et al.,

The "alternate drive" scan did the trick. Thank you all for
your responses.

--Randy

One more piece of data possibly related to this malady. The winlogon
process seems to be corrupted. It has infrequently but conspicuously
evoked the BSOD since the other symptoms began last week. I also have
been getting messages like "Winlogin - invalid [or unexpected] entry
point" or some such occasionally.

Get a virus scanner you can run from the command line and boot
to SafeModeWithCommandPrompt and scan C:\WINDOWS

You probably missed my first or second post in which I stated that
I cannot boot to safe mode (neither the GUI version nor the command
prompt version). I get a BSOD. Normal windows mode works fine.

I did indeed miss that post

Could I perform this function just as effectively by inserting another
hard drive with Win2k on it, booting from it, and scanning my
original drive (as, e.g., a "d:" drive)?

The scan is much more likely to find the problems that way. Not
many people are comfortable with the drive swapping though, so
it's rarely recommended here. Don't forget you have to change
which drive is master and which is slave.