Virus wont let me run certain programs

[trant]

A friend brought me his computer which has Windows XP Pro SP3 on it. He
complained about a virus and not being able to access the Internet (IE gets
hijacked).

While trying to fix it I am noticing something on this machine is preventing
me from running certain programs (exe files). For example I couldn't run
HijackThis. I would double click it's icon and the hourglass would appear for
a brief few seconds then go away and the program never launches. Looking in
Task Manager or Process Explorer I see the process gets started, then DPC
kicks in or crss.exe and the process I ran goes away. It's as if the virus
has some kind of interrupt which allows it to filter any process and kill it
if it determines it to be something potential detrimental to it's survival.

Any idea how this virus could do this so that I can remove this capability?

Needless to say nearly all my antivirus programs are being blocked. It
allows AVG to run possible because AVG was already installed but AVG is
unable to detect it or remove it. I know it finds something called
Win32.Crypto but it is unable to remove it (it keeps coming up again and
again)

 

[duke]

Using task manager.... Are the processes notepad.exe and pbrush.exe
running ?
If yes, then terminate the processes and see if you can properly run
your antivirus programs.

Duke

 

[duke]

I got this from MCAfee Website that might help you confirm you have
the Win32.Crypto virus by using RegEdit to confirm the existence of
the keys listed:

Characteristics -

This is a virus for Windows 98/NT/2000 and in some cases Windows 95.
This memory resident polymorphic virus uses an encryption algorithm to
stealth the virus infection. This virus was released first on a
website in two files "NOTEPAD.EXE" and "PBRUSH.EXE". The file
notepad.exe is infected with the W32/Crypto virus and is a
Czechoslovakian version of the original Win98 file.

If an infected file is run on a system, the first thing that is
noticed is two files are written to the Windows folder, WININIT.INI
and a patched version of KERNEL32.DLL copied from the Windows\System
folder. The patched code contains encryption algorithm as well as some
stealth methods for anti-monitoring. Also some files are deleted from
the system if they exist, in an effort to prevent detection by
antivirus products. The files removed include the following: AVP.CRC,
IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS,
SMARTCHK.CPS, AGUARD.DAT, AVGQT.DAT, LGUARD.VPS.

After running the infected file, the system requires a restart of the
system before the patched KERNEL32.DLL actually takes effect. If the
file is removed prior to rebooting the virus is prevented from further
infection. The patched DLL replaces the authentic one at Windows
restart due to the dropped WININIT.INI file instructing Windows to
replace the file.

At the time of this description, only detection is possible.

The virus modifies the system registry by adding the following keys:
HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography
HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys
HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\UserKeys\Prizzy/
29A
HKLM\Software\CLASSES\AutoRun
HKLM\Software\CLASSES\AutoRun\4
HKLM\Software\CLASSES\AutoRun\4\DefaultIcon
HKLM\Software\CLASSES\AutoRun\4\Shell
HKLM\Software\CLASSES\AutoRun\4\Shell\AutoRun
HKLM\Software\CLASSE
Symptoms
Symptoms -

Registry modifications as mentioned above, modification date change on
PE type files.
Method of Infection
Method of Infection -

Direct infection via patched KERNEL32.DLL.
Removal -
Removal -

All Users:
Use current engine and DAT files for detection. Replace files not
cleaned with backup copies.

Additional Windows ME/XP removal considerations


Duke

 

[PA Bear [MS MVP]]

Backup any personal data, then do a format & clean install of Windows.
Please note that a Repair Install (AKA in-place upgrade) will NOT fix this!

cf. http://michaelstevenstech.com/cleanxpinstall.html#steps

After the clean install, you'll have the equivalent of a "new computer" so
take care of everything on the following page before otherwise connecting
the machine to the internet or a network and before using a USB key that
isn't brand-new or hasn't been freshly formatted:

5 steps to help protect your new computer before you go online
http://www.microsoft.com/protect/computer/advanced/xppc.mspx

HOW TO get a computer running WinXP Gold (no Service Packs) fully patched
(after a clean install)
http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5afa8ed33e121c

HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a
clean install)
http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2b

Also see:

Steps To Help Prevent Spyware
http://www.microsoft.com/protect/computer/spyware/prevent.mspx

Rogue Security Software - Microsoft Security:
http://www.microsoft.com/protect/computer/viruses/rogue.mspx

 

[C.Joseph Drayton]

A friend brought me his computer which has Windows XP Pro SP3 on it. He
complained about a virus and not being able to access the Internet (IE gets
hijacked).

While trying to fix it I am noticing something on this machine is preventing
me from running certain programs (exe files). For example I couldn't run
HijackThis. I would double click it's icon and the hourglass would appear for
a brief few seconds then go away and the program never launches. Looking in
Task Manager or Process Explorer I see the process gets started, then DPC
kicks in or crss.exe and the process I ran goes away. It's as if the virus
has some kind of interrupt which allows it to filter any process and kill it
if it determines it to be something potential detrimental to it's survival.

Any idea how this virus could do this so that I can remove this capability?

Needless to say nearly all my antivirus programs are being blocked. It
allows AVG to run possible because AVG was already installed but AVG is
unable to detect it or remove it. I know it finds something called
Win32.Crypto but it is unable to remove it (it keeps coming up again and
again)

Before you do anything drastic like wipe the system, I would use Hiren's
v9.9 boot disk to load Mini-WindowsXP. From a connected USB drive, I
would run ClamWin and Spybot Search & Destroy.

Once that has been done, I would use a Linux LiveCD to copy clean
versions of the files mentioned by 'Duke' in another article here.

Then from safe mode, turn off 'System Restore', then run regedit to
remove the keys mentioned by 'Duke'.

If that doesn't work then you might actually have to reinitialize the
system.

Sincerely,
C.Joseph Drayton, Ph.D. AS&T

CSD Computer Services

Web site: http://csdcs.site90.net/
E-mail: (e-mail address removed)90.net

 

[Twayne]

You have given pathetically little information to go on. You should
learn how to help others to help you. OS, version and SP level?
How long has it been infected?
Did a name or anything meaningful ever pop up on the screen as most
viruses will do?
Any error messages? Quote them.
What AV have you run?
What malware detectors have you run?
A list of the programs that WON'T run?
Some that DO run?
Router? Is it NAT?
Is it running a firewall? Which one? Is it set to high, mid, low, or
what?
Is the machine used for gaming? What IS it used for?
Any idea how/when it got infected? When did the problem first start to
show up? Was it all at once and sudden or slowly developing in its
maliciousness.
Etc. etc. etc. .
Clarvoyance and ESP aren't as rampant as they used to be and since no
one can sit in front of you machine, you have to try, at least a little,
to help people help you!

You should read, in its entirety, the following article:
How to Post a newsgroup question effectively:
http://support.microsoft.com/kb/q555375

While the advice at the end of this post sounds reasonable, have you run
or tried to run:
-- Run AV ware?
-- Run at least 3 different anti-spyware programs? People here wil be
happy to provide you with a list of good ones if you don't already have
them.
-- Checked at Symantec-Norton for a description of the virus?
-- Checked for same at McAfee and any other viral site you prefer?
You should already have done those last two (actually, all of the
above) since you obviously have a name. What does the AVG site say
about it? Is there a manual removal procedure? I'm betting there will
be at AVG or one of the virus-detecting companies, especially Norton.

Inline please:


If it gets hijacked, then what web site does it go to? Jeez, that's a
hint and a half to tell us! If you mean IE doesn't work, that's not
hijacking. WHAT do you mean by that? Be specific.

HiJack This, if you'll RTFM, should be a last resort after you have done
all that it recommends, most of which is noted above. Have you even
read it?

If you can't get to some web sites, try using the site's IP number
instead of the text name. If you don't know how or can't access a site
to get the IPs, ask here; several here could give you the IPs you need;
it's an easy lookup.

It may not be a virus also; it may be plain old malware which
anti-malware detectors can find. Anti-virus, regardless of its claims,
is ONLY good at finding viruses. There is a LOT of other malware out
there running around.

Not unusual. An old trick to frustrate newbies and the inexperienced.

Yes, but it'd take nearly a book to explain it so it would be useful for
any kind of trouble-shooting purposes. First make use of the tools that
are available. Malware can be pretty complex and run around Hogan's
Barn several times in accomplishing what it does. It's seldom of any
value to know HOW it does it unless you're in the business of detecting
it. And it's not an easy task.

Well, since that's a friend's computer, how about using your OWN
computer to look up what you need?
Or,
Then use the IPs. Which AV programs do you need an IP for? I'll look
them up and provide them to you. Then, instead of putting somesite.com\
for an address, you use the IP number xxx.xxx.xxx.xxx.

AVG for instance is IP 64.74.243.20 It works, I tried it.
Norton/Symantec is IP 64.208.248.193 and it works, too.
McAfee is IP 216.49.88.12
In fact, if you just find a working computer if that one won't do it,

And if you use Google to search for win32.crypto you get about 1,920,000
hits, and the first page is full of information about it.

So you don't really need help: Just Google has all the information you
need to understand and remove it and take care of any leftover nuances.

So why not use your own working computer? Why do you feel you have to
use the problem PC to do research on the problem?

What does AVG say about that? Have you even asked them? I'll bet they
have the answer you're looking for. Very often some part of a virus
cannot be removed because to do so would render the machine incapable of
booting or otherwise trashed. That's when you go looking for the manual
procedures, usually starting with the mfr of you AV ware.

The assistance you need is all around you; just look at it and use it.

HTH,

Twayne`

 

[Elmo]

A friend brought me his computer which has Windows XP Pro SP3 on it. He
complained about a virus and not being able to access the Internet (IE gets
hijacked).

While trying to fix it I am noticing something on this machine is preventing
me from running certain programs (exe files). For example I couldn't run
HijackThis. I would double click it's icon and the hourglass would appear for
a brief few seconds then go away and the program never launches. Looking in
Task Manager or Process Explorer I see the process gets started, then DPC
kicks in or crss.exe and the process I ran goes away. It's as if the virus
has some kind of interrupt which allows it to filter any process and kill it
if it determines it to be something potential detrimental to it's survival.

Any idea how this virus could do this so that I can remove this capability?

Needless to say nearly all my antivirus programs are being blocked. It
allows AVG to run possible because AVG was already installed but AVG is
unable to detect it or remove it. I know it finds something called
Win32.Crypto but it is unable to remove it (it keeps coming up again and
again)

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

 

[plugginaway]

If you find that Malwarebytes will not run due to '..not have
permission..' you can go to Malwarebytes.org/forums/index and read the
stuff in Hijack logs..

or, use another PC. Uninstall Malwarebytes on the bad PC. install
Malwarebytes on another set and update, and full scan. same with
Superantispyware. both avail at download.com.

install your bad hard drive into the good PC as ADDITIONAL/SLAVE drive.
NOT replace.

boot up, then scan the heck out of it with both of those tools, and the
AntiVirus pgm.

then, copy the malwarebytes install exe that you downloaded on the first
set over to the bad hard drive (probably D or E or F) somewhere you can
find it easily. Move the drive back to the original set, Then install
it and update it. do Quick scan ad reboot. then do full scan.

of course, each PC must be OFF when you make hardware changes.

good luck