Well Rob was having some serious problems with his PC. See
here and
hereHe brought it me and I took a stab at it. I'm writing about it in hopes someone with the same problem will find this since I did not find to much help with this particular bug but lots of other viruses /spyware do the same thing so its probably universal.
In his blog he writes that he had no access to the Task Manager and I had this similar problem with a bug awhile back at work and
www.superantispyware.com removed the problematic spyware so I told him to use that. When I got it from him it was already installed and updated so I ran a complete scan. It found around 100 problems. It removed them and rebooted. Still no Task Manager.
I checked in MSCONFIG and there was a few things in there that didnt look right. Two letter executabels. Like sw.exe vw.exe and others. All of which were running. Since his Task Manager was not working I plugged in my USB Drive and launched Process Explorer, found
here. I killed those running programs and then went to \windows\system32 and deleted those files. There was around 6 of them.
In the MSCONFIG he also had a file named 1031f.exe that was set to run at startup also. It said it was located in the System32 folder. A quick look in the Process Explorer said it was not running. I went to the System32 folder and it was not there either. I thought maybe it was hidden so when i went to turn on the setting to let me see hidden files I found there was no Folder OPtions in the Tools menu nor was there a Folders Options in the Control Panel. A quick Google showed me how to re-enable that option in Group Policy
* Goto Group Policy Editor. (Start->Run->"gpedit.msc")
* Navigate to "User Configuration >> Administrative Templates >> Windows Components >> Windows Explorer.
* Finally, on the right enable the option of "Remove the Folder Options menu item from the Tools Menu" by right clicking on it and selecting disable.
Once I was able to get into Folder Options, no matter how many times I told it to show me hidden files the setting wouldnt stick. So I wasnt able to view the hidden files. I went back to Process Explorer and it has the option on top to Find a Handle or DLL. I typed in 1031f.exe and it showed me that it was indeed running but it had injected itself into svchost.exe. I had to get rid of that file.
While Googling the Folder Options fix I found a Utility that Renables features that viruses have the habit of disabling. Sure I could do it all thru the registry but that was tedius. The utility is found
here.
I saved that app onto my thumb drive and rebooted Robs PC into Safe Mode. Once I was in there, I ran that utility and reenabled The Hidden Files, the Task Manager and others. After that I was then able to go into the SYSTEM32 folder and Delete 1031f.exe. Then I ran another app on my USB drive called Reg Scanner, found
here. This app lets me search the whole registry very quickly and it groups all the keys with my search value together. So I did a search for 1031f and then told Regscanner to give me a Reg file that would Delete all those keys referring to that file.
He also had something else giving me errors on every boot called AMVO.exe. Deleted that as well from Startup and from the System32 folder AND from the registry.
I also ran CCleaner to delete all his internet temporay files and cookies for good measure.
I rebooted the pc and everything was accessible again BUT his Task Manager would not load. Why? because that virus had deleted it. So I copied it from my PC to his and he was good to go.
I gave the PC back to Rob last night. Thats my story.
