I Was Infected. Nasty Bug. Does Anybody Recognize This Behaviour.

kukubau

Hi guys

Sorry to say, but my system got infected for the first time ever. Should I be happy? Let me think.

I'm sure I have a bug in my system. It managed to modify write/read permissions. Whenever I try to install Bitdef or any other AV, I get "Error writing to c:\Program Files\......." or similar. If I try to reboot in safe mode I get a BSOD.

I scanned my system with every online scanner out here. Nothing. I tried Sysinternals autorun utility so I can identify the culprit. Nothing. Rootkit revealer. nothing. I think it's a rootkit bug, because none of the AV online scans didn't find anything pesty on my drives.

My suspicion is that it runs at driver level or at boot time. Or probably is a MBR bug. Who knows.

My box is behaving heratically. Registry keys had their permissions changed, I can't install security apps, I can't run hijackthis. These are a few.

It disabled my firewall(xp built-in firewall) and Automatic updates service. I have to start'em manually every time I restart. I still run AV free.

So the situation looks grim. I have to reinstall my OS, which I don't want to. It runs faster as ever. I don't think I had an installation running for as long as this one.

So?

My question. Does anyone recognize this behavior?

There must be a way.

I have to say that I am computer proficient, so no way is the hard way for me.

Any input would be great.

Greets!

farbar

There is a tool called Dial-a-fix. It even fixes BIOS problems. You can download it from majorgeeks.com

Here is the description:

Dial-a-fix is a collection of 'known fixes' that have been compiled over the past year that really knock out some serious Windows problems, all with one or two clicks. "When in doubt, check 'em all".

Dial-a-fix tackles issues with SSL/Cryptography, Windows Update, Microsoft Installer, and many miscellaneous shell problems. Example: If you get a blank screen when trying to visit Windows Update, simply checkmark the main Windows Update checkmark (in box #3) and click GO. Most issues can be resolved in a similar manner, if not by combinations of fixes. There is also a 'check all' button which is useful as a last ditch effort, or when you don't understand where a particular problem is coming from.

Most of the fixes Dial-a-fix uses are found in various Microsoft Knowledgebase articles, and articles written by Microsoft MVPs. When you see a list of DLLs that need to be registered using REGSVR32.EXE, chances are they are already listed in Dial-a-fix. Mouseover a checkbox or button to obtain more information about what will be executed, or what DLLs will be registered.

In a nutshell, Dial-a-fix: stops services, installs selected software (if packages are available -- see below), registers DLLs, restarts services, and removes several rogue policies. Dial-a-fix will not cause any issues if your system is already working properly.Dial-a-fix is a fix collection.

About Hijackthis not working: you can rename Hijackthis.exe to something else like moon.exe and run moon.exe instead.

Please keep me informed.

kukubau

Also I get "Error 193: 0xc1", every time I want to reinstall my AV proggie and other apps.

First time, the kernell got killed. I can't start it manually, so I uninstalled the AV. I tried to reinstall it but no go.

I read somewhere in a Microsoft KB that this is caused by a program.exe found on the root of the system drive and several other places like ProgramFiles, CommonFiles folders. I couldn't find any.

I am currently scanning my drives with BD online scanner. It found the Beagle worm. It is known to behave like this. The problem is that I can not undo any of the mess it did. I ran Symantec's beagle remover tool but still the same thing.

I can't install any security app, AV or even run hijackthis (even with name change).

Greets

Everytime I want to run an MS update like reinstalling Window installer 3.1 I get a update.exe is not a valid win32 application. I also get this for other software "is not a valid win32 application"

Niels

Dear kukubau,

See if this can solve this isn't a valid win32 application navigate to the windows folder,repair folder now select the autoexec.nt file and copy it to the system 32 folder. If asked for replacing confirm that. See if it might not be hidden. Go to tools,folder options,display/view,check the option show hidden files and folders and see if a file called program is now visible. You can try the specific removal tool which you can download here. You have to download the one that BitDefender online scanner detects.

Best regards

Niels

kukubau

Nope. It doesn't work

In fat, I have a nastier bug that does all of this. The bagle worm.

The SOB doesn't let me run Spybot SD or any installer.

I'm so ######

Niels

Dear kukubau,

Try this if you have bought the boxed version of BitDefender. Please put in the installation cd-rom.

Or if you didn't have the installation cd-rom than download an burn this image but be sure that you burn it as an bootable disk.

Normally it should boot. If that isn't the case than you need to change the boot priority so that your dvd/cd-rom write/drive combo will be booted from first. You can change that in the BIOS or in a separate menu. Wait till the cd-rom is loaded you will now see the graphical user interface of BitDefender press on the scan button. On the end of the scan you need to choose the action.

Best regards

Niels

farbar

Also I get "Error 193: 0xc1", every time I want to reinstall my AV proggie and other apps.

First time, the kernell got killed. I can't start it manually, so I uninstalled the AV. I tried to reinstall it but no go.

I read somewhere in a Microsoft KB that this is caused by a program.exe found on the root of the system drive and several other places like ProgramFiles, CommonFiles folders. I couldn't find any.

I am currently scanning my drives with BD online scanner. It found the Beagle worm. It is known to behave like this. The problem is that I can not undo any of the mess it did. I ran Symantec's beagle remover tool but still the same thing.

I can't install any security app, AV or even run hijackthis (even with name change).

Greets

Everytime I want to run an MS update like reinstalling Window installer 3.1 I get a update.exe is not a valid win32 application. I also get this for other software "is not a valid win32 application"

What about dial-a-fix? did you try to remove the restrictions by this tool?

If nothing works you can download a zip file to remove the restriction from the registry in order to get into safe mode and then apply the tools already named: http://blog.didierstevens.com/2007/02/19/r...ith-a-reg-file/

Here is another free tool: http://www.softpedia.com/get/Antivirus/Win...oval-tool.shtml