Virus replacing core executables?

[Donnie]

I believe I have gotten a virus or spyware or something
that has replaced many if not all of the system files. I
first noticed something wrong when a network icon appeared
in the system tray (mine had always been hidden). I went
to the control panel and found a new network connection
created and enabled, and the firewall turned off the other
network settings. After deleting several files and
killing several processes that kept restarting, I was
unable to log on at all and ended up in Safe mode, where I
discovered a newly created Administrator account. I never
created one name Administrator, and if it is a default in
XP, it never prompted me to log on before. So I was able
to clean things up and seem normal... but every now and
again something would come back, despite that I was
leaving it off the network. Logn story short, in the
setupapi.log I see hundreds of EXEs and DLLs being updated
on reboot, and if I am interpretting correctly, it updated
the installation area first, then initiated a reinstall.
It's copying everything from the \windows\i386 folder, but
is also generating an error that an unsaigned or
incorrectly signed file is being copied, and that it's
going to install it anyway because Policy=Ignore. There
are several other registry, inf, and ini entries I've
found that suggest it's done this... has anyone else ever
seen this? Or am I (hopefully) misunderstanding what I'm
seeing and it's really the Microsoft auto updates? (all
of my exes now start running out of control using up
memory, so I really think they have been replace).

Is there any place to check the copy of your Windows files
against what a real install should have?

 

[Carey Frisch [MVP]]

Many viruses are expressly designed to alter or corrupt
operating system files. That's why it is prudent to use
a good antivirus program.

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]


If a repair install does not work, then you'll need
to perform a "clean install".

Clean Install Windows XP
http://www.michaelstevenstech.com/cleanxpinstall.html

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

-------------------------------------------------------------------------------------


|I believe I have gotten a virus or spyware or something
| that has replaced many if not all of the system files. I
| first noticed something wrong when a network icon appeared
| in the system tray (mine had always been hidden). I went
| to the control panel and found a new network connection
| created and enabled, and the firewall turned off the other
| network settings. After deleting several files and
| killing several processes that kept restarting, I was
| unable to log on at all and ended up in Safe mode, where I
| discovered a newly created Administrator account. I never
| created one name Administrator, and if it is a default in
| XP, it never prompted me to log on before. So I was able
| to clean things up and seem normal... but every now and
| again something would come back, despite that I was
| leaving it off the network. Logn story short, in the
| setupapi.log I see hundreds of EXEs and DLLs being updated
| on reboot, and if I am interpretting correctly, it updated
| the installation area first, then initiated a reinstall.
| It's copying everything from the \windows\i386 folder, but
| is also generating an error that an unsaigned or
| incorrectly signed file is being copied, and that it's
| going to install it anyway because Policy=Ignore. There
| are several other registry, inf, and ini entries I've
| found that suggest it's done this... has anyone else ever
| seen this? Or am I (hopefully) misunderstanding what I'm
| seeing and it's really the Microsoft auto updates? (all
| of my exes now start running out of control using up
| memory, so I really think they have been replace).
|
| Is there any place to check the copy of your Windows files
| against what a real install should have?

 

[Guest]

Thanks for the link. Actually, I have SBCGlobal.net's
firewall enabled and their virus checker, along with XPs
firewall. The virus checker warned of a Trojan but did
nothing (or was zapped by the virus before it could).
Then it set up it's own id on my computer, proceeded
redeclare everything, and enable/disable things (including
the firewall) as it so chose.

Anyway, thanks again for the link.

-----Original Message-----
Many viruses are expressly designed to alter or corrupt
operating system files. That's why it is prudent to use
a good antivirus program.

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]


If a repair install does not work, then you'll need
to perform a "clean install".

Clean Install Windows XP
http://www.michaelstevenstech.com/cleanxpinstall.html

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

---------------------------------------------------------- ---------------------------


|I believe I have gotten a virus or spyware or something
| that has replaced many if not all of the system files. I
| first noticed something wrong when a network icon appeared
| in the system tray (mine had always been hidden). I went
| to the control panel and found a new network connection
| created and enabled, and the firewall turned off the other
| network settings. After deleting several files and
| killing several processes that kept restarting, I was
| unable to log on at all and ended up in Safe mode, where I
| discovered a newly created Administrator account. I never
| created one name Administrator, and if it is a default in
| XP, it never prompted me to log on before. So I was able
| to clean things up and seem normal... but every now and
| again something would come back, despite that I was
| leaving it off the network. Logn story short, in the
| setupapi.log I see hundreds of EXEs and DLLs being updated
| on reboot, and if I am interpretting correctly, it updated
| the installation area first, then initiated a reinstall.
| It's copying everything from the \windows\i386 folder, but
| is also generating an error that an unsaigned or
| incorrectly signed file is being copied, and that it's
| going to install it anyway because Policy=Ignore. There
| are several other registry, inf, and ini entries I've
| found that suggest it's done this... has anyone else ever
| seen this? Or am I (hopefully) misunderstanding what I'm
| seeing and it's really the Microsoft auto updates? (all
| of my exes now start running out of control using up
| memory, so I really think they have been replace).
|
| Is there any place to check the copy of your Windows files
| against what a real install should have?
.

 

[Sheila]

I have had the same problem for the past 4 months. I
have done everything to rid myself of this virus but it's
in the MBR and it WON'T go away! I've flashed my bios -
even a new HD - I do NOT know where it's hiding if it's
not in the HD but it's NASTY! My virus checkers also did
not catch it - it counteracts everything I do (i've also
done what you did in the registry). Can you check in
your system information under system tools and tell me if
it has changed your version to "5.1.2600 Service Pack 1
Build 2600" ? I have been trying to rid myself of this
for months and i've had NO LUCK!!
Thanks!
Sheila

-----Original Message-----
Thanks for the link. Actually, I have SBCGlobal.net's
firewall enabled and their virus checker, along with XPs
firewall. The virus checker warned of a Trojan but did
nothing (or was zapped by the virus before it could).
Then it set up it's own id on my computer, proceeded
redeclare everything, and enable/disable things (including
the firewall) as it so chose.

Anyway, thanks again for the link.

-----Original Message-----
Many viruses are expressly designed to alter or corrupt
operating system files. That's why it is prudent to use
a good antivirus program.

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]


If a repair install does not work, then you'll need
to perform a "clean install".

Clean Install Windows XP
http://www.michaelstevenstech.com/cleanxpinstall.html

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

--------------------------------------------------------

--

---------------------------


|I believe I have gotten a virus or spyware or something
| that has replaced many if not all of the system

files.

I
| first noticed something wrong when a network icon appeared
| in the system tray (mine had always been hidden). I went
| to the control panel and found a new network connection
| created and enabled, and the firewall turned off the other
| network settings. After deleting several files and
| killing several processes that kept restarting, I was
| unable to log on at all and ended up in Safe mode, where I
| discovered a newly created Administrator account. I never
| created one name Administrator, and if it is a

default

in
| XP, it never prompted me to log on before. So I was able
| to clean things up and seem normal... but every now and
| again something would come back, despite that I was
| leaving it off the network. Logn story short, in the
| setupapi.log I see hundreds of EXEs and DLLs being updated
| on reboot, and if I am interpretting correctly, it updated
| the installation area first, then initiated a reinstall.
| It's copying everything from the \windows\i386

folder,

but
| is also generating an error that an unsaigned or
| incorrectly signed file is being copied, and that it's
| going to install it anyway because Policy=Ignore. There
| are several other registry, inf, and ini entries I've
| found that suggest it's done this... has anyone else ever
| seen this? Or am I (hopefully) misunderstanding what I'm
| seeing and it's really the Microsoft auto updates? (all
| of my exes now start running out of control using up
| memory, so I really think they have been replace).
|
| Is there any place to check the copy of your Windows files
| against what a real install should have?
.

.

 

[Star Fleet Admiral Q]

FYI - Administrator is the built in account for all NT OS's, which
include NT 4.0 Workstation, Win2k Pro, WinXP Pro/Home, Win2k Server,
Win2k3 Server to name a few.