I think I have a virus

[Elemennop]

I'm pretty sure I either have spyware or a virus hurting my computer, and I'm leaning more towards the latter. My MSI Lan utility program shows that I'm sending out packets pretty much as fast as I possibly can, even at startup with no network-using programs that I know of running. On top of this, I'm unable to scan at all with Spybot (It just sits there when I try to scan), and Ad-aware freezes at the end when I try scanning. When I attempt get a new download of this (or a download of pretty much anything), the download will AT BEST get halfway through and then just stop working all of a sudden (On Firefox. On internet explorer the download window just freezes). The very worst part is this -- I'm completely unable to open Task Manager to look at the processes running. Everytime I press ctrl-alt-delete to open it or open it by right-clicking the taskbar, it will open another icon in the bottom right corner saying that a task manager window has opened, but none will come up (and all efforts to make it appear on the screen fail to work as well).

Is there any tips on how to fix this? I'd rather not go as far as formatting this computer.

 

[mechBgon]

First of all, a quick question: do you have a router, or no router?

 

[boshuter]

Do you have an up to date anti virus program? Try booting into safe mode and see if you can scan with anti virus and spybot.

 

[mechBgon]

Since I had nothing else going on... There's a systematic method here, so please try to follow the routine step by step. If you can view this page in Internet Explorer, you can click File > Save As... and save it as a .mht file, a "web archive," for viewing offline.

1. Disable System Restore.
   
2. Restart the computer in Safe Mode With Networking.
   
3. Open Notepad. If Notepad won't run, go to C:\WINDOWS\SYSTEM32\ and find Notepad.exe. Copy it to the desktop, then rename the copy to Notepad.com and run that. Use Notepad to open C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts. If there are any entries other than "127.0.0.1 localhost" in your HOSTS file, remove them. Scroll down to make sure stuff isn't hidden way down the page out of sight.
   
4. Download WinSockFix. If you tear out the malware, but then you can't reach the Internet, you'll want to run WinSockFix.
   
5. Try to open Task Manager here in Safe Mode w/Networking. If it opens, try to terminate all processes except for explorer.exe. If they won't terminate, that's fine, but try. Stay in Safe Mode w/Networking, and go on to the next step.
   
6. Grab my instructions in this text file and follow them, pretty easy. If you have l0ts of data then it will take a long, long time to scan... let it rip overnight. Remember, you want to be doing this scan in Safe Mode w/Networking. You can unplug the network cable while the scan is running, can't hurt.
   
7. That scan is just a preliminary knockdown punch. Once the scan is complete, stay in Safe Mode and see if you can open regedit.exe (Start > Run > Regedit.exe). If it won't open, find it in C:\WINDOWS\SYSTEM32, copy it to desktop and rename the copy to regedit.com. Go to this Registry key:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
   
   Nuke any values in the right panel so it isn't keeping you from running programs, then close Regedit.
   
8. Now you want to (surprise) stay in Safe Mode w/Networking and download the following files. If they have trouble downloading, run WinSockFix but then make sure to choose Safe Mode With Networking again when WinSockFix wants you to reboot, and resume from here.
   • your Microsoft AntiSpyware beta from here
   • a free 30-day trial of Kaspersky Antivirus Personal 5 from here
   • SpywareBlaster from here
   • F-Secure BlackLight beta from here (rootkit killer)
   • HijackThis 1.99.1 from here
9. Still in Safe Mode w/Networking, run Spybot Search & Destroy if it will run.
   
10. Still in Safe Mode w/Networking, run F-Secure BlackLight after re-naming it to something else than its original name.
    
11. Still in Safe Mode w/Networking, if you have other antivirus software, update it if it will do so. Go through its panels and max out all detection options.
    
12. Still in Safe Mode w/Networking, run HijackThis, have it scan & save a log, and paste the log text into http://hijackthis.de. Kill anything it marks as suspicious or bad, unless you know for sure it's ok.
    
13. Unplug your network cable or turn off your wireless access point, then reboot into Normal Mode for the second round
    
14. Uninstall your current antivirus software, and install the Kaspersky trialware.
    
15. On the Settings tab in Kaspersky, set the real-time and on-access scanners to Maximum as shown on this page and click the Configure Updater and have it update "From Internet, Extended Databases." Now execute an update by right-clicking its tray icon and updating.[/b]
    
16. Install the Microsoft AntiSpyware Beta software and have it update, then run a scan and make sure it kills everything it finds, no Ignores. Install SpywareBlaster and update it, then click the Protection tab and click Enable All Protection.
    
17. Now reboot into Safe Mode again. Run an exhaustive scan using Kaspersky in Safe Mode. The more data you have, the longer this will take, so expect it to take a while. Restart in Normal Mode and keep an eye on the system, see if the bugs are dead.
    
18. Check to ensure that Windows Firewall is enabled, unless you use some other firewall. ZoneAlarm might be a good idea for a while, since it'll ask you about programs that are trying to get out to the Internet. Plus you can see at a glance if ZoneAlarm is not running.
    
19. After all of that, I would also right-click My Computer > Manage > Local Users & Passwords > Users, make sure all the accounts are legit, right-click each account and give it a strong password so malware can't help itself to your Admin powers. Then download and run Microsoft Baseline Security Analyzer and work on any weak areas it finds.
    
20. If you have a router, log into it and lock all traffic, both TCP and UDP, on all ports from 111 to 442 and from 444 to 65535, then watch the logs for a while to see if there's any hanky-panky going on where your system's trying to call out for no known reason.

Hope that helps edit: added some stuff.

 

[imported_fatal]

You will want to start using a firewall other than windows, like zone alarm

 

[Elemennop]

Thanks, MechBgon!! That was an excellent walkthrough, and it got rid of the virus (as well as some other things). Hopefully I'll be wiser next time and not get myself into a position where I'll have to go through all this again.

 

[mechBgon]