I'm not happy!!!!!!

I've got the VIRUS ALERT! virus/bug/malware, again! But I've no idea how! Here's the story...

(I'm running Windows XP Home SP3 - fully updated) Friday I went for dinner and came back and all hell had broke loose, I've got:-

• the old VIRUS ALERT! message by the clock in the taskbar;
• the flashing red circle with white cross telling me I need to download this and that;
• various warning pop-up messages
• my background picture had disappeared and replaced by white
• various desktop shortcuts had been deleted
• 3 new icons had been added (I can't remember what they are), something like Virus Protection, Virus Remover etc
• In the Start Menu all that were there was the Internet, Email, Most Used Programs and the Set Default Programs icons, as well as Shutdown (Log off... had disappeared)
• Ctrl+Alt+Del did not work (an error message said it had been disabled by the administrator)
• Tried a System Restore, a new restore point had been added (VIRUS ALERT! Last Known Good Configuration...), but all my previous restore points had gone, I couldn't even click on a previous month
• Finally from what I could see, on the System dialog (accessed from Control Panel before it disappeared) my computer now said Registered To: Mark ******* (several returns) then underneath VIRUS ALERT!

So I did a quick google on my laptop and read to enter Safe mode and run AVG and Malwarebytes Anti Malware program, so that I did and found several viruses/malware, but after the cleanup Windows was still how the virus had left it.

I decided I had no choice but to reinstall Windows, and whilst I was at it I decided I would re-partition my hard drive so I could install Linux (openSUSE) and I'm glad I did.

OK, so Saturday night/Sunday I reinstalled Windows XP Home SP2 on a 4 way partitioned 320GB hard drive (all partitions formated under DOS conditions), I also installed SP3 as well downloading and installing all available updates (including IE7 and Media Player 11), the following are the only other drivers and programs I had installed before VIRUS ALERT! struck for a second time;-

• ASUS A7N8X motherboard drivers (nVidia nForce) - disc
• nVidia Graphics Drivers - disc
• Grisoft AVG anti-virus 8 - previously saved file (and updated online)
• Labtec keyboard driver - disc
• SafeCom Bluetooth Dongle - disc
• Epson DX5050 All-in-One Printer - disc
• Logitech Mouse - previous saved file
• Logitech Webcam - previous saved file
• Microsoft Office 2003 - ISO CD image file
• WinRar - previous saved file
• Windows Live Messenger - downloaded
• FireFox 3.0 - previous saved file
• uTorrent - downloaded
• Flash - downloaded from Adobe
• Sockwave - downloaded from Abobe
• Camtasia Studio 5 - downloaded from download.com
• Nero 8 Trial - downloaded from Nero (but installation cancelled as "Windows had not been restarted from a previous installed program)

I believe that's all I had installed, I didn't wanna install too much until I had installed Linux (incase I messed it up being a new Linus user), so here's what I was doing when the VIRUS ALERT hit the second time, I had Live Messenger running, Firefox open (with Linux openSUSE downloading at 93%) IE7 open with 2 tabs, one was www.redimps.com and I had just typed in www.tomshardware.com in when I noticed a MSDOS box appear and it said "1 file copied". I thought 1 file copied from where?!? Then it all begin, CPU working at 100%, the VIRUS ALERT by the clock, warning pop-ups, 3 new icons, flashing red/white cross, (the download completed) then I restart and all the Start Menu icons ad gone as described above.

I could understand if I had downloaded some unknown file or if I had visited a unfavourable site, or if I had been naughty and used a keygen program (which sometimes can contain Trojans) just before the second attack, but I hadn't, it just seemed soo random especially with a clean install of Windows XP Home, AVG did kick in as the attack begin and I Vault-ed a file that was in the TEMP folder.

I do have my old 80GB hard drive attached which is full of backup files, some normal docs and pics, some backed-up music and movies, some legit and some not so legit software with keygens, the drive also contains a working copy of Windows XP Home SP2 that I never unistalled when I upgraded my hard drive 2 years ago (luckily).

I have been using the 80GB copy of Windows on and off all weekend without a hint of trouble which leads me to think its not to do with any files on that drive prior to the re-install of Windows on the 320GB hard drive.

I'm using Linux to post this, thought since I've just installed it I'd give it a good play with.

Any help, advice, or knowledge of where this **** virus comes from would be great, I've read it's meant to come from emails, previously all my emails were filtered though Firetrust's Mailwasher (allowing only known addresses to be recieved) being scanned by AVG as they were filtered, and then scanned again before downloading into Microsoft Outlook. The second time, although Outlook had been installed it had not been run nor had any emails been filtered or downloaded.

Thanks

Mark

Some of the chit you have going on is commonly brought on by the cough, cough "Keygens". I am willing to bet your whole backup drive has been affected and as soon as any file is activated it fubars the rest of the system.

My solution? Goto a friends house and download\make UBCD for Windows http://www.ubcd4win.com/ this makes a live cd with virus scanning capabilities and burning capabilities. Don't forget to bring a "Clean" XP CD with you to make it.

Then after scanning ALL drives with a couple or more of the scanners backup the files you HAVE to have to CD and format all drive then continue.
While your at it scan any of the program cd's you've burnt that you use to make sure it hasn't attached itself to it.

Also take the whole system offline untill you get everything installed, including a SINGLE antivirus even AVG free is good enough as long as your practice good browsing habits, a SINGLE firewall and a app or 2 like spywareblaster. Then jump online and update all of that BEFORE doing anything else.

You have a major infection and serious surjery is needed to find and excise the infection.

OH and BUY YOUR SOFTWARE... We don't support or condone warez here.

You can also try the following:
Run autoruns , from http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
and look for suspicious startup program among various startup enteries within the autoruns GUI.

The fact that you still have virus alert shows somehow the infectious program manage to attach itself to critical process (usually startup item)

Try Spyware Doctor with Antivirus starter edition (http://www.download.com/Spyware-Doctor-with-AntiVirus-Starter-Edition/3000-2239_4-10816521.html)- Remove AVG 8 first before installing

You can aslo use RegDllView to view suspicious dll and unregistered it. Usually they are in system, system32 or program files folders

Once downloaded the 3 programs & installed, remove your internet connection and scan+ investigate further and see how it goes... good luck

Thanks for the ban admin, very helpful!!

If Microsoft and various other companies weren't ripping people off maybe people wouldn't try and cheat them, but that's another story.

I could understand what you say about the "backup" drive, but I've had an older installation of Windows XP running on it for a lot of the weekend without a hint of trouble, if it had infected that installation then I could understand it.

BTW none of the programs listed that I installed on the clean were from any other source than the official sources, with the exception of Nero 8 Trial which was a torrent download coz it was 4 times faster, maybe it was a bad exe.

I'll reinstall without the backup drive connected and see what happens, luckily I've got the laptop which lessens the blow a lot, plus I've now got Linux on the desktop, although installing programs seems a bit confusing and some things aren't compatible I like Linux and can fully understand why more "normal" home users are using it and companies are now offing it as a default OS.

Cheers

Mark