Posted 30 November 2009 - 11:49 AM
I've been dealing with this problem for days. I am pretty good at computers and have peeled some of the layers of this virus but could use some further help. My XP install is still dangerously infected and it seems only sensible not to go on the Net while in this state. Therefore, I've booted into Linux at the moment and I am able to do research and communicate with Forums.
Some comments and learning curve stuff:
Mcafee blissfully ignored the original infection and subsequent scans revealed nothing. The Website at least acknowledges the existence of the virus but makes reference to their "Current Dat." as the solution. Wrong, Wrong, wrong! I am mildly pissed at Mcafee.!!
Malwarebytes did pick up some infections in the registry and files. Having researched the Web extensively it almost seems senseless to name them specifically because I've seen many variations in registry Key names and filenames reported by other victims. This virus is quite the chameleon.
I've learned that if you attempt loading Taskmanager while the machine is still booting, it's possible to get it running before the virus is full operational.
In Taskmanager I've noted a suspicious Process named "vmcisysguard.exe". Upon stopping the Process the machine will allow me to load any program. I still get the stupid infection warnings and it will occasionally load IE, but at least I can dig deeper into the problem. It's interesting to note that repeated searches of my hard drive have not revealed the existence of this Executable. Also, a Google search on this Executable came up almost empty. There is reference to "Vmci" but that turned out to be a product for large-scale deployment of databases across the Web. Maybe a piece of THEIR product was hijaacked?? Google showed that Bleepingcomputer.com had references to the file but when I ran down the link nothing was found.
Another item worth mentioning is the file "wmiprvse.exe"'. This is a Microsoft program titled "Windows Management Information." It's used in an enterprise environment to query and set up desktops, databases, and other enterprise components. It's also apparently a target for hijaacking by viruses. Althoough multiple copies can be found in Taskmanager, I found dozens of them. Only one listing appeared but as I ended the process another one would replace it with a different PID. I tried searching and then renaming the file in multiple locations on the hard drive. A reboot would cause it to reappear and Event Viewer Info showed that the "file had been modified and a new copy was installed from Restore." I'm not sure if this is significant.
As I dig deeper and (hopefully!) learn more I will report it here. However, if anybody has further insight I sure would appreciate your assistance.
Thanks in advance!!