My Machine.. What I think happened..

[woxnerw]

Hi Gents:
To Start, I'll list it's specs.

P-111 Asus/Intel CUSL2c 1.2mhz. 512 meg. ram Two L/G DVD/CD Burners on IDE Sec.port Two Hard Drives on Pri.IDE Port ATI AIW 128 Pro graphics StarTech LAN StarTech Promise-T RAID with Four Hard Drives connected 56 kbs Modem Two S/B audio Cards and a rev.2 USB Card..

This machine is one of three that I operate with my Recording Studio

WOXNERW - Audio & Recording

It's not the fastest machine but it's regarded as quite stable in-and-around the audio business..

Recently, and up to about a week or so ago it has operated quite well for what I use it for.. It's my "Knock Around" machine. I go on-line, test applications, Edit Tracks-and-files with it and generally keep my other machines off the Internet by using this machine.. It's even able to stream 33-35 tracks through the LAN, to-and-from the Studio Machines.. There's 500 + gigs of storage space with-in the hard drives..

It began to operate sluggishly..

The mouse-and-keyboard didn't behave the way they used to.. Just generally, a poor-working machine..

Friday, I discovered I had picked up a Trojan.. Called Trojan horse Generic4.ZKG The virus utility I use is AVG Free. latest and up-to-date.. Lit up and produced a scan.. It saw and healed a virus called hp-1003.exe..

But.. That ain't the end of it.. I don't know where to find-and-locate the Trojan horse Generic4.ZKG My machine is still stressed and the virus utility is still lighting up and my machine is getting worse..

Now, when I boot the machine ,... This is what happens..

The Post-up is fine and looks O.K. The XP screen appears and then goes to the "Welcome" screen.. That all looks O.K. But...

The Desk looks like this..

The Background screen/desk appears but.. The Desk's icons don't appear for about 3-5 minutes.. at which time ALL is fine... BUT after a time the Mouse-and-keyboard begin to NOT Work Correctly.. They stutter and GO-ON and it looks like the graphics card is stressed.. At odd times the AVG Utility lights up and does a scann. Sometimes it finds the hp-1003.exe virus sometimes it doesn't..

Is there a way to fix this machine?

If I take it to a shop they'll give me the "Bum's-Rush".. when I tell them I'm an Audio Freak.. They don't like looking at machines that are set-up for Audio Use.. Some places even say.. Do I know a guy whose Nick name is woxnerw

Besides, I don't like taking this machine to somebody I don't know..

I'm at the End-of-the-Line.. Guys.. Anything you might suggest would be a great help to get me looking in the right direction..

Thanks for for having a look at this post..

Bill..

[stinger608]

Well one thing, you are very correct in the fact that you DO have a Trojan virus, that evidently AVG will not completely correct!!! That is a real bummer man!!!

Now then, probably the very best anti virus software, that WILL correct your problem would be Panda!!! You can do an online scan of your system with Panda anti virus, but it probably will not correct the problem with out purchasing the software.

Now please be aware of this, Panda software is a very big, big system hog!!!!
But, if you purchase the software, it has a program that you can create a boot disk with the up to date definitions and can boot from a CD-ROM and scan, find, and fix VERY SERIOUS virus problems!!!

I am sorry, but DO NOT attempt to purchase crap like Norton, or any of the other highly advertised anti virus software!!! It is kind of like Pennzoil, very highly advertised, but is just nothing more that re vamped oil

Try the online scan with Panda, it may be able to rid the system of the virus, but if not, then I would suggest purchasing the Titanium version of the software.
Can't remember, off hand, what the URL is, but hell, you can Google that without problems

Good luck bro, and a big

WELCOME TO HARDWARELOGIC!!!!

[woxnerw]

Hi strnger608:
Thanks for your quick reply.. I was gonna take a nap and think about this DO-DO I've found myself in.. I think it was 02 or 03 that I last got Hit with this stuff.. It hurt my setup so bad that I lost several hard drives and 2 or 3 complete projects..

I promised myself that I wasn't gonna leave myself vulnerable to find my setup and I in this bind again..

Bill..

[EDIT]

I forgot to add this to the reply..

AVG "Heals" the executable command that the Trojan produces.. The .exe is * hp-1003.exe ".. I find that file in the AVG Vault.. However, it renames the file to a "Number's" file.. e.g. 10358314.FIL AVG Dates and times it in the folder.. In fact, as I write this [{EDIT] the virus utility lit up and the command is Do I want to heal the file? I replied "YES".. BUT as I was healing the file One went into the Vault at which time It was dated 15/07/2007 8:56pm the file size is 70kbs..

[Stormcrow]

Several options you can try, all of which are free.

1. Locate the trojan yourself, boot into safe mode, clear it form the folders and registry. Not the best thing to do if you dont feel comfortable messing around in the windows folders and registry, but fun in its own right.

2. Run multiple AV software, like Stinger suggested with Panda. I've had alot of success with Avast!, and Nod32. Ad-Aware also sometimes picks up trojans and deletes them. Run the software in Safe mode, so as your sure it can nab it.

3. My favorite way. Restart your computer into safe mode. Run a copy of HijackThis! found here: http://www.trendsecure.com/portal/en...hijackthis.php Normally it's used for getting rid of spyware, but it is amazing at finding the other baddies lurking in your registry. Run the program, then save the notepad report it gives you. Keep the program open. Go to HijackThis Logfileauswertung, and upload or paste your logfile into the space provided. The site will then compare your entries to those uploaded and tracked by users the world over. It'll tell you what the registry is, how bad it is, and if you should remove it. Simply use the site as a reference to check the ones on the program that are malware, and then remove them. Dont delete anything your not sure you should. HijackThis has gotten rid of every trojan thats bothered me so far, and even uproots the crap that Logitech, Microsoft, and others hide in their drivers. Afterwards, run a few AV programs and restart normally.

Hope this helps ya some

[woxnerw]

Hi Stormcrow and Gents:
I'm up-and-going today.. I'm considering just how I'll approach this task..

Thanks for those links and I'll browse them and download those utilities on your suggestion, and see how and what if I can make any headway with using them.

I'm New to the Proceedures and Understanding of how to search for this stuff. I've done a windows search for the names of these files and .. Of Course.. nothing shows up when the search has stopped..

When you've done this search before it all becomes perfectly clear how this works and what the End Product of all this work will produce. I think.. Well.. Can I assume that this is correct?

As I write this reply, something has triggered AVG to do a complete test on my drives.. It takes a couple of hours to do a scan of these drives.. After 24 minutes of this scann I't's still into the "C" Drive and the Windows Temp Folder.. Sure enough.. Trojan horse Generic4.ZKG is on the AVG List as a threat..

The Path and File name is... C:\System Volume Information\-restore{Do96E76A-0E22-48A7-817B-Fa511937DEE}\RP780\A0404149.exe

NO hp-1003.exe so-far.. this time... (scan)... Well..

With all this happening at the same time... the machine's system is stressed.. Big Time. I can tell by how the mouse and keyboard is behaving right now..

Using this information, How can I use this to approach the issue I have?.. I don't know how to use and or proceed with this.. Is this the start of tracking this down?

A well.. AVG has posted a file update today.. I'm at 70% of the download.. This is huge.. The file size is 10488.7 kbs. What's all this?

I'm not sure if this has gotten past the "C" Drive.. OR.. do you think IT (this Trojan) has moved beyond this drive, in my machine?? AND Can it?

I can see lots of work ahead of me today..

Am I headed in the right direction? AND... Am I up for this? Is all this worth IT?

Thanks for sticking with me on all this..

Bill..

[EDIT]
I just tried to enter C:\ (The Path) to where this file is.. I am denied access to the folder System Volume Information.. Is that a normal response.. for this to happen? How do I open this folder?

[Panda Man]

Quote:

Originally Posted by Stormcrow

like Stinger suggested with Panda.

Quote:

Originally Posted by stinger608

Now then, probably the very best anti virus software, that WILL correct your problem would be Panda!!!

GTFO! :P

Quote:

Originally Posted by woxnerw

Hi Stormcrow and Gents:
I'm up-and-going today.. I'm considering just how I'll approach this task..

Thanks for those links and I'll browse them and download those utilities on your suggestion, and see how and what if I can make any headway with using them.

I'm New to the Proceedures and Understanding of how to search for this stuff. I've done a windows search for the names of these files and .. Of Course.. nothing shows up when the search has stopped..

When you've done this search before it all becomes perfectly clear how this works and what the End Product of all this work will produce. I think.. Well.. Can I assume that this is correct?

As I write this reply, something has triggered AVG to do a complete test on my drives.. It takes a couple of hours to do a scan of these drives.. After 24 minutes of this scann I't's still into the "C" Drive and the Windows Temp Folder.. Sure enough.. Trojan horse Generic4.ZKG is on the AVG List as a threat..

The Path and File name is... C:\System Volume Information\-restore{Do96E76A-0E22-48A7-817B-Fa511937DEE}\RP780\A0404149.exe

NO hp-1003.exe so-far.. this time... (scan)... Well..

With all this happening at the same time... the machine's system is stressed.. Big Time. I can tell by how the mouse and keyboard is behaving right now..

Using this information, How can I use this to approach the issue I have?.. I don't know how to use and or proceed with this.. Is this the start of tracking this down?

A well.. AVG has posted a file update today.. I'm at 70% of the download.. This is huge.. The file size is 10488.7 kbs. What's all this?

I'm not sure if this has gotten past the "C" Drive.. OR.. do you think IT (this Trojan) has moved beyond this drive, in my machine?? AND Can it?

I can see lots of work ahead of me today..

Am I headed in the right direction? AND... Am I up for this? Is all this worth IT?

Thanks for sticking with me on all this..

Bill..

[EDIT]
I just tried to enter C:\ (The Path) to where this file is.. I am denied access to the folder System Volume Information.. Is that a normal response.. for this to happen? How do I open this folder?

Yeah thats normal, you shouldn't have access to System Volume Information. I can't remember why though. But that giant update isn't, but that might be a full update rather than just a virus library update. 2 things I would suggest. First is the easy one. Grab a copy of the NOD32 trial (I Likes it teh bestest!)

Free Spyware Removal - Free Antivirus software and antivirus download from ESET

Update and scan with it to try and get rid of it. If you can't, try this

Go to My computer, and click on tools > Folder options. Go to view, and uncheck the box that says "hide protected operating system files" and select the option to show all hidden files as well.

No go to C:\ and find a file called autoexec.bat. right click on it and select edit. Now enter the following line:

Code:

del C:\System Volume Information\-restore{Do96E76A-0E22-48A7-817B-Fa511937DEE}\RP780\A0404149.exe  /F /Q

If it has changed again, change the filename in that code, and directory if need be. Anyways, reboot, and the file should be gone. Reopen the autoexec.bat file and remove the new line

Maybe this article can help as well

How to gain access to the System Volume Information folder

Hope you found this useful!

[Stormcrow]

Trojans normally embed themselves into your system32 folder, so whatever drive Windows boots from will be the drive thats infected. You can concentrate the scans just on that drive to speed things up some.

[woxnerw]

Thanks for the replies, Gents:
I have a TO-DO List going here. I'll get to them as this project expands. Thanks to you all.

I have an up-dated report to add to the Cow-Pie..

I am unable to get to My Computer by clicking on the Desk's icon.. This issue is expanding, all over this machine.. When I boot to "Safe Mode" I find I am unable to open "My Computer", as well.. I have a feeling that what I'm doing so-far is just aggrevating this issue.. I think I need to slow down and approach this issue in a different manner..

What's goin' on..??

I was sure if I opened a drive in My Computer I could see the contents of System Volume Information.. In fact I cut-and-pasted that Path and File... In fact.. The real Path of this file is drive E:\

I have temporarily removed the Promise-T Drives from this machine, in case I loose some valuable .wav files..

The Path and File name is... C:\System Volume Information\-restore{Do96E76A-0E22-48A7-817B-Fa511937DEE}\RP780\A0404149.exe

to a USB Portable drive.. That's when the s**t hit the Fan.. So, as a result of that I un-did the file move and I could open my computer after a re-boot again.. I'm not able to Restore this machine to an "Earlier Date" anymore.. When I tried that the machine "Blue Screens".. After a re-boot a screen says that the restore is unable to complete the task..

I have some amount of reading To-Do from your posts, to get up to speed with your suggestions..

I'd sure like to save this "C" Drive as it's the original install of XP on this machine.

A Lay-Man's Question ??

I haven't tried this.. Could restoring this build back to say several months, help-and-make this, work? At this point-in-time, I have only restored back to a few days..

I hope I'm reporting my activity on this issue in the correct order..

This is gettin' ugly..

Working away on this Rock-Pile..

Bill..

[woxnerw]

I'm in the process of downloading the Panda Free Scan. I'm on a dial-up.. So..

The utilities up-dates are quite a large file. I'm about 1/3 of the download.

Bill..

[woxnerw]

I'm Back to Report:
I used the Panda Free Scan to locate the Files-of-Issue.. I'm still in the process of locating these files.. However, several of these files are now removed from the folders they were attached to.. This machine is on the come-back..

I was in the Registry and working on re-naming file extensions.. e.g. .exe files ..I re-named them to .ete extensions.. (not removed yet).. sys files .. I renamed to .sts extensions.. (not removed yet)..

Anyway, these files are not interfering and stressing the work-flow of this machine.. Some of the files I removed from their folders are placed them in the AVG Vault.. These files were identified by the Panda Free Scan Utility. So-Far-So-Good..

There is one file I am unable to find.. It's path-and-location is..

c:\windows\downloaded program files\UWAS6_0001_N68M2301NetInstaller.exe

I don't know where to find it.. It's not in the downloaded programs Folder..

I did a windows search on it.. Nothing appears.. What's up??

This may be the Key File that's gonna fix this machine..

Bill..