Solved

Virus - Shutsdown Process Explorer/IE if go to virus website/pc-cillian

Posted on 2004-09-23
11
1,066 Views
Last Modified: 2013-12-04
I seem to have a virus on my 233MHz PII Win2K Pro system.

pc-cillian causes the virus to hog all cpu time so that anti-virus software will not run.  The process viewer under task manager is a gray screen.  Hijackthis is terminated as soon as it starts.  Process Explorer will not start.  Internet explorer will shutdown if I try to go to an virus related website.  Regedit will not run.  The virus retains these abilities if I go to safe mode.  Ad-aware does not find anything.  As long as I don't try to remove the virus, it lets the system run as normal only slower.  If you try to remove it, the system grinds to a halt due to cpu usage going way up.  Task manager will let you kill a user program and monitor cpu usage.  Only the process termination screen is affected.  I am having to use my laptop to type this message.

I downloaded the gaobot virus removal tool from norton and changed the file name and executed it from a floppy.  It did not find the virus on the system.  

Basically, I can't identify the virus so as to try to remove it from my System.

Help,
Lanny
0
Comment
Question by:LannyP
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12136462
Hello LannyP =)

Can u think abt Slaving ur hard drive in another system, and then perform a virus scan on it to delete all viruses present on it, or manually delete the infected files if u know abt them :-?
U can also use Stinger for cleaning ur system >> http://vil.nai.com/vil/stinger
0
 

Author Comment

by:LannyP
ID: 12136732
I do not have another system to slave the hard drive into.  I was able to get to the stinger site and execute the stinger program.  It has been running 30 minutes and has not found the virus.  I will let you know the results when it finishes scanning.  Thanks
0
 

Author Comment

by:LannyP
ID: 12137183
Stinger finished scanning and found 164750 clean files -- no virus!  Of my problem is still there.  New info -- I found a list of files in the /winnt/system32/drivers/etc/hosts file that were directing my IE to dns not found errors.  I elimated the extra entries and made the file read-only.  The virus does not seem to be able to change the file again after the read-only status.  IE will still shutdown if I visit certain websites.  Hope this info helps.  LannyP
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12137240
hmmmmm do this, in IE>Tools>Internet Options>Advanced>untick Enable Third Party Browser Objects
apply and check ??

Also Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post the log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

But if still u cannot get it working, then Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)
0
 

Author Comment

by:LannyP
ID: 12137621
I can get to radiosplace.  If I try to open HiJackthis immediately; it is simply terminated.  I can download it to my drive ok.  When I try to execute it from my drive it is terminated as soon as it starts.

I have removed viruses before but this thing is horrible.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12137651
when u download msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html
and try to open it, does it open ??

if u can open it, then goto Startup section, and untick all applications except ur Antivirus and firewall softwares, reboot and now check if u can run hijackthis or not,,,, ror try it in safemode !!
0
 

Author Comment

by:LannyP
ID: 12137713
msconfig.exe is killed just like Hijackthis.  The window flashes as it is trying to startup but then the process is terminated.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12137741
hmmmmmmmm that means u are having this problem =\

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> http://www.experts-exchange.com/M_926622.html :)
0
 

Author Comment

by:LannyP
ID: 12138102
=< Close but not quite the same problem.  In the examples on the tools quit page the taskmgr.exe file is terminated.  On mine the taskmgr.exe runs.  You can access the the applications and performance tabs fine.  The process tab is just a gray window.  The other files hijackthis, msconfig, process explorer are simply terminated immediately.  Anyway I can change the name of any of the files and the virus still knows what they are and reacts like the nasty virus it is.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12139769
U didn't tell me abt the safemode results,,,,, coz if in Normal mdoe a background process is causing these problems,,,, in safemode it will be not there,,,, so these problems shudn't occur there !!

and if it Does occur there,,,, then we are in trouble,,,, coz not Antivirus is picking it up, we dont know abt this virus so we can manually search for its variant files,,,,, we will get stuck !! =\
0
 

Author Comment

by:LannyP
ID: 12140258
Success!!!!  I downloaded "Security Task Manager" and opened it from the website.  This allowed the program to start from the zipfile which the virus could not detect.  I used this program to kill all unknow processes.  Now my anti virus software could run.  The Culprits were w32.spybot.worm / backdoor.hacarmy.c  /  and  backdoor.core.flood

Thanks for your help!!!! =)
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question