got this new virus!

[ddd]

here's the problem. nod32 finds new kind of virus, but it cannot be removed since is the new kind of virus. it runs in c:\windows\winrun.exe
i can't open taskmanager, so i really don't know what to do!
please help!!!!

[Blackspear]

Have you tried rebooting into Safe Mode and running a scan that way?

Just make sure Nod32 is set up as per instructions mentioned in post number 2 HERE.

Hope this helps...

Let us know how you go.

Cheers

[Marcos]

Whenever NOD32 finds a probable unknown NewHeur_PE virus, tick the Quarantine check-box before deleting the file. It should be possible to delete even viruses detected by heuristics. After the scan completes, reboot the machine and send the content of the program files\eset\infected folder to sample@eset.com. Should there be a problem deleting the file, boot to safe mode first as suggested by Blackspear.

If you stuck somewhere then download ProcessExplorer from www.sysinternals.com

Rename the executable to hahayes.exe (that it cannot be terminated within process name) and kill the process During kill process maybe you hear this bugger crying, but dont spend attention to that

[ddd]

well my nod32 can't delete the selectede virus not even put in quarantine!

[Blackspear]

Quote:

Originally Posted by ddd

well my nod32 can't delete the selectede virus not even put in quarantine!

Have you tried it in Safe Mode?

[ddd]

yes, now it seems that the virus is deleted but i still can't open task manager?!

[Blackspear]

Quote:

Originally Posted by ddd

yes, now it seems that the virus is deleted but i still can't open task manager?!

Can you please send the quarantined file found in C Drive> Program files> Eset> Infected to sample@eset.com

If you find Windows system files affected, you can place your Windows CD in the drive, click start> run type in CMD, when the black window opens type in "sfc /scannow" SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do.

Hope this helps...

Let us know how you go.

Cheers

[Marcos]

What about changing the appropriate registry value?

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
Value Name: DisableTaskMgr
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = disable Task Manager)

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system.

[ddd]

i've checked in the registry, but the tskmanager is not disabled. when i try to open tskmanager i get the message ''the tskmanager was disabled by your administrator''??

http://www.dougknox.com/xp/utils/xp_taskmgrenab.zip

[ddd]

thx a lot Happy Bytes!

[ddd]

there is another thing: when i try to open my dvd rom i get no result; if i try this with another account on win xp i have no problems. any idea why is this happening.

Open the CDRom how ?
Via right click and eject media or pressing the button directly on the drive?

[alglove]

Quote:

Originally Posted by ddd

i've checked in the registry, but the tskmanager is not disabled. when i try to open tskmanager i get the message ''the tskmanager was disabled by your administrator''??

The Task Manager can be disabled with a registry entry or group policy. Once way to reenable it is to go to HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System . On the right side, look for DisableTaskMgr , which should be of type REG_DWORD. If it is not there, create it. DisableTaskMgr should have a value of 0 (zero, not the letter O).

[alglove]

Quote:

Originally Posted by ddd

there is another thing: when i try to open my dvd rom i get no result; if i try this with another account on win xp i have no problems. any idea why is this happening.

It sounds like something in that login is accessing the DVD-ROM drive, or at least keeping it locked. Try looking in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run... entries for something that should not be there.

[ddd]

i can't open dvd in my explorer (only when i use my account!). otherwise i can open it with other accounts on my comp.
i've checked HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, but nothing weird was there!

[alglove]

Any CD/DVD burning applications on your computer, like Nero, Roxio, etc.?

[NOD32 user]

Hi ddd,
Nothing to add with regards to the exact cause but its highly likely your issues are indirectly the result of using KaZaA or WinMX. Do you use either of these?
I am a bit curious today but I'm wondering also if you've got Advanced Heuristics turned on and all the other bells and whistles - I can't see if you said it is or not? Apart from the link above Blackspear also has an excellent config guide for NOD32 somewhere.

[ddd]

well i don't use kazaa or winmx nad YES i have turned on advanced heuristic,...
i reinstalled SP2 and now it's seems ok.
the weird thing was that i couldn't quarantine the winrun.exe, nod32 just deleted it?!

[ShunterAlhena]

Quote:

Originally Posted by ddd

the weird thing was that i couldn't quarantine the winrun.exe, nod32 just deleted it?!

Quarantine in NOD32 doesn't work like in other AV products like in Norton. Here it means that before deleting, cleaning etc. the infected file, NOD32 creates a secure copy of it in the 'infected' folder contained where NOD32 was installed to. So it's not a separate action. If you ticked the checkbox, the copy should be made and accessible via "NOD32 System Tools \ Quarantine".

[ddd]

hm, it's been more than two weeks now that i got rid of that virus (?), but i have another problem. i kinda lost my administrative rights on my winxp pro sp2. i tried everything, but still i cannot delete some files from partition d: and even on c:
is it normal that some viruses mess up your registry?

[Blackspear]

Quote:

Originally Posted by ddd

is it normal that some viruses mess up your registry?

Indeed, have you tried what I posted above?

If you find Windows system files affected, you can place your Windows CD in the drive, click start> run type in CMD, when the black window opens type in "sfc /scannow" SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do.

Cheers

[alglove]

Quote:

Originally Posted by ddd

hm, it's been more than two weeks now that i got rid of that virus (?), but i have another problem. i kinda lost my administrative rights on my winxp pro sp2. i tried everything, but still i cannot delete some files from partition d: and even on c:
is it normal that some viruses mess up your registry?

How do you know that the registry is the problem? It could be something else preventing you from deleting these files, like NTFS ownership/permissions. What kind of error messages do you get when you try to delete these files? File locked or in use? Insufficient privilege? Something else?

[ddd]

Blackspear i've tried what you proposed but it stopped during the process (i think it was the problem with SP2, because my WIN XP has on CD SP1).
when i try to delete certain files i get the message i don't have permission for deleting files (it's strange cause i'm the administrator for my account). i even can't install some programs on partition d:
i've looked on internet and some had the same problem-virus, messed up registry,...
so my guess is that i got messed up registry so i don't have permission for some thing. strange it seems that always bad things happen to me!