He is a .DLL with a random file name guarded by an exact duplicate with the same file name .dll.BAK. Both are loaded and both can not be conventually deleted. The virus code is loaded three ways: as a BHO (which XP can apparently disable), as a WinLogin Notify object and the most insidious way, a dummy service is created (random name) with description Microcode Update Helper. The service is not a program but a proxy which links to the virus .dll. The service runs under Svchost and can not be stopped or disabled unless the host is killed. Now, heres the real crafty part. This virus constantly refreshes itself in the registry. If you delete any entries it recreates them immediately, if you disable the service, it re-enables it immediately, if you set up a program to delete it on reboot, it deletes the entries in the registery so the delete is never executed and it somehow prevents the system restore for working even though restores points are being created normally.
The service running in SVCHOST can be killed without crashing the machine, using the tasklist or taskmanager if you find the correct PID of the SVCHOST. But the DLL ends up attached to explorer.exe, svchost, winlogon and csrss. Killing it gives the blue screen of death.
I hate to have to reload the operating system since I have so much installed software. But this thing is very nasty and defied all of my best tricks to kill it. Has anyone heard of anything like this???
Moderator Edit: Moved topic to more appropriate forum. ~ Animal
Edited by Animal, 13 April 2007 - 01:30 PM.