Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sophos detects Virtu-gen, computer unusably slow after reboot


  • Please log in to reply
4 replies to this topic

#1 Berconius

Berconius

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 07 January 2009 - 01:08 PM

Hello,

About a day ago, Sophos antivirus (school supplied antivirus) said it detected a trojan (specifically Virtu-gen). It immediately prompted me to run a Trojan Hunt scan which I did. A specific .dll file from my system32 file kept coming up in the scan as belonging to Virtu-gen, but I could not find a file by that name and do not have its exact name anymore (pedawne or something similar). Sophos flashed this alert about 14 times. At the end of the scan, I was told to reboot and that no action could be taken until reboot.

During the scan, my unupdated Windows Defender (also school supplied, unupdated because I have tenuous internet at home and am on break) ran a scan of my system with no results.

I manually rebooted through the shutdown/restart as opposed to Sophos button at the end scan. I did not see if anything strange happened during startup as I had gone off to brush my teeth. When I came back, by system had become unusably slow. I have just gotten sophos to even open in the last few minutes about 30 minutes after startup. Task manager is unusable as it takes a long time for me to be able to click on anything. I managed to get to the processes tab, but when I try to scroll down or click on an application, it tries to refresh the window and gets nowhere. CPU usage reads as 100% but none of the processes I can see in the window without scrolling are the culprit, though Tea Timer is using 1 percent.

I read the Sophos guide on how to resolve this issue and am unable to implement it as my computer is still unable to access quarantine or initiate a scan. The links an buttons in the Sophos window are unresponsive. I have more or less determined that I am completely unable to run applications due to this slowdown.

The little flashing light that usually activates when the CPU is working is not flashing at all, even when task manager thinks I am using 100% of my CPU.

In attempting to resolve this issue after the catastrophic reboot, I tried rebooting in safemode through the F8 method but startup freezes up when I do this. I get as far as a screen full of file names from the system32 file when they stop scrolling and the system becomes unresponsive.

I am using the internet from a library computer at this point.

I have tried rebooting the system several times in safe or normal mode, restoring last known good settings, allowing scan disk to run from hard resets and not letting it run after hard resets to no avail.

I am running Windows XP Media edition on an Acer Aspire 5600 with 1.6 GHz Core Duo Processor, 1.5 GB RAM, and two 50 GB hardrives (so I figure if worst comes to worse I can salvage one).

I do not THINK I have boot disks for windows XP, so I am not sure if I can reformat my system if needed. If there are other options to do that, I would still be willing.

It may take some time for me to respond to any advice since, as stated above, I am using a library computer at the moment, and my time online is limited. Thanks for your time.

Edited by Berconius, 07 January 2009 - 01:28 PM.


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:43 PM

Posted 07 January 2009 - 01:11 PM

Try rebooting to Safe Mode with Networking and then follow the advice here: http://www.bleepingcomputer.com/blogs/usas...?showentry=1252
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 Berconius

Berconius
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 07 January 2009 - 01:47 PM

Thank you for the fast response, I have not tried Safemode with networking, though safemode with command prompt fails the same way that ordinary safemode does. I will attempt this momentarily, though a new strange item has appeared. Spybot search and destroy is giving me a value deleted window:

Entry: BootExecute
Value deleted: autocheck autochk *

I have not picked allow or deny yet. This almost seems like it is trying to get me to kill scandisk?

I have also finally gotten to my quarantine section in sophos antivirus and it says that the trojan is located in "C:\Windows\system32\pebigamu.dll" while the sophos popup is saying that "C:\Windows\system32\pedanawe.dll" also belongs to Virtu-gen. I am unable to find either one manually. My quarantine window offers no actions. "cleanup incomplete, manual removal required." I am suspicious that this may be the result of either not scanning every file or interupting scandisk on this startup, but I am not sure.

Presently going to try using the search function on the two files that came up. Will log out of this terminal to conserve time. Thanks for your time.

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:43 PM

Posted 07 January 2009 - 02:09 PM

You can submit them to http://virusscan.jotti.org for an analysis to see if they're both infected.
From what I've seen so far, this appears to be an infection - so I'm going to move it over to the Am I Infected forum for some more expert assistance....
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 Berconius

Berconius
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 07 January 2009 - 02:32 PM

From what I've seen so far, this appears to be an infection - so I'm going to move it over to the Am I Infected forum for some more expert assistance....

Thanks, I am suspecting the virus. The inoperable speeds of my system made me think that something else may have made the situation worse, though as time goes on, it seems that things will still run though only at extremely low speed. (getting sophos to start scanning, for example, took about 5-10 minutes between clicking "Save and Start" and items actually starting to get scanned)

Still open to any tips. I am particularly concerned about how my systems fails to boot in safe mode at all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users