Topic: Help! Start up items won't load.

[Simon]

:help:  I turned on the PC this morning, and everything seemed to start up OK.  I was looking at the forum, when I noticed that the system tray was devoid of most of the usual icons, including firewall and NAV.  I've rebooted, but the start up icons don't appear, so I'm assuming that the prrgrams are failing to run.

The most worrying thing is that I cannot get Norton Anti Virus to run.  Not at all.  The Auto Protect function is switched off, and refuses to be enabled.  I started up my firewall, made sure the box to 'start with windows' is ticked, and rebooted, but the firewall (Sygate) won't launch on start up either.  Also missing is the ADSL modem icon.

The frustrating part of this is I now have to go to work and leave this unsorted, so I'll be worrying all day, especially as I don't have time now to do a virus scan.

Any ideas as to how this might have happened, and how to fix it?  Another annoying factor is that System Restore won't work either.   >

[Tony]

Sinon,

Have you not got GoBack installed ?

[chorleydave]

I hope I am wrong Simon (I usually am) but I had the problem you describe many times when I used to use Kazaa and Kazaalite.  My problem was, inevitably, the Optix Pro trojan horse, which seems to be immune to virus checkers/firewalls etc. and actually diables them before getting to work.

For months, the only solution I could find was a reformat.  Then, by chance, I came across an article in a magazine which advised how to remove it manually by deleting certain files from the c:\ prompt (or whatever drive Windows is on) and then editing the registry.  Using "FInd" look for the files wmmiexe.exe and/or spooll32.exe (2 "L"s as spool32.exe with one "L" is a genuine Windows system file).  If you have it/them, you have the trojan.  Let me know and I'll dig out the article and let you know how to manually remove it.

Edit:   I've found the article.  Here is some of what it says.

The trojan contains an astounding 209 process names (or registry keys in special cases*) which are hard-coded into the server file, effectively covering all well known and (and some not so well known) anti-virus programs, anti-trojan programs, firewalls, and process viewers/monitors. If the option to kill these programs is enabled, on execution of the trojan the users defences are killed, and every 60 seconds the program checks the process list again for and of the names. Essentially this means all security programs known to the trojan (estimated to be around 80 programs) can be shut down and they cannot run again as the trojan will recognise them in the next scan 60 seconds later.

I'm no expert, and I am probably way off the mark, so I wouldn't worry too much just yet!

[Simon]

No, I haven't Tony.

Did a search for those items Dave, and no results.

Went into msconfig > Startup, and the Firewall and NAV have been deleted from there.

There must be something doing this - I'm starting to panic now.  Doing a virus scan at this moment, but if it didn't stop it on the way in, I wonder if NAV would spot anything now?

If anyone else can help, it would be appreciated, before I start thinking about re-installing XP.

[Sandra]

Did it allow you to update Norton before you ran tne scan Simon,that may pick something up if its a new one that has come up in the last couple of days  

[lobo]

@Simon,
Sounds like a trojan, anti-virus software may not detect a trojan you need a trojan removeing program see your e-mail

Brian

[Clive]

Simon, if you have your antivirus on automatic update how could you become infected?  However, take a look at this:

http://securityresponse.symantec.com/avcenter/venc/data/vbs.lavra.worm.gen.html

[Adept]

I agree with Lobo Simon It looks like you've been infected with something nasty.

The reason why your av scans aren't finding anything is probably because your Norton has been infected too.

The best way to find out if you have a virus/trojan is to take your hard drive out of your machine an put it into another PC as a slave. (Make sure the second PC has an up-to-date anti-virus program running! ) You should then be able to use this PC to scan your entire hard drive.

[Simon]

Thanks for those folks,

Clive - had a look at that, but can't find anything in registry or file search.

Brian - checked e-mail, nothing arrived from you yet.

Sean - Yes, I think it looks like a nasty as well, but I can't think where I could have picked it up.    It was perfectly OK last night, and all went pear shaped this morning, and I had only been to Pals!

Anyway, I did Norton Scans and it found nothing, then I went to the Sygate site and did a Trojan scan - nothing.  I then uninstalled and reinstalled both Norton and Sygate, and they seem to now be working.

The link to which Clive referred gave all the symptoms, but there's no sign of anything called anything like Larva.  

This is a bloody mystery!  I'm sure there's something going on as the hard drive is working when I'm not doing anything.  I haven't a second machine available to scan my hard drive with - would scanning with another AV utility be any use?  I could download AVG, or use the Trend Micro thing linked on here.

[chorleydave]

Simon, when you go to msconfig > startup, is  there anything in there that isn't recognisable?  The fact that your HD is working when you aren't even doing anything suggests that something is running  in the background and (although I am no expert) from the experience I had a while back, it really does look like a trojan.

I will never know how I was infected either.  I don't open .exe oe .vbs etc. files without checking them, but as I said earlier, almost everytime I used Kazaa I was infected.

[TR]

Simon Try this.   http://www.pandasoftware.com/activescan/com/activescan_principal.htm


Hookstar

[lobo]

Simon
Tried to send a program to you via email but it was refused by your email

Anti-Trojan v5.5.420

Quote:
Anti-Trojan 5.5 is a powerful trojan scanner and remover which detects more than 9000 different types of trojan horses. It uses three methods to find them. The first is the portscan which gives you information if there are open ports on your computer. The second one is the registry scan which searches through the system registry database for trojans. The third and the most important part is the disk scan. It scans your harddisks for dangerous trojan files and removes them safely.
3 Search Methods
Anti-Trojan 5.5 allows you to scan your computer with these methods:

Port-Scan
Here all port of the computer are checked whether a trojan is active. This port scanner checks in contrast to the online check all ports, not only well-known trojan ports. Note: There will be no trojan removed, only open ports are shown.


Registry-Scan
With this procedure the system is submitted to a high-speed check. There will be checked the system-registry an known filenames of trojans. If a trojan is identified, it will be removed.


Disk-Scan
This is the most important search method. Whole drives (or directories) are searched for trojan files. Each file is checked on the harddisk. With larger harddisks this search can last somewhat longer. As appoximate value we checked 20 GigaBytes in approx. 30 minutes (approx. 170,000 files). Anti-Trojan also checks packed archives of the following formats: ACE, ARC, ARK, ARJ, CAB, DWC, PAK, ?Q?, GZ, LBR, LHA, LZH, RAR, SFX, TAR, TAZ, TGZ, Z, ZIP, ZOO  


Size : 5326 Kb

Code : h**p://us01.anti-trojan.net/ATro55en.exe


Visit HomePage : h**p://www.anti-trojan.net/en/

Brian



Edited by Simon:  Thanks very much Brian - trying it now.  I did have to remove the other links from this post due to forum T&Cs, but have them noted!  

[Simon]

Which account did you try to send it to Brian?  If it was my hotmail account, that won't accept anything.  It's just for Messenger.  Try the one I sent you the other day -- I'll PM it to you.  

Well, it seems that no Trojans can so far be found (but I haven't tried Brian's thing yet).  I uninstalled and reinstalled Norton AV and Sygate Firewall, and they both seem to be working OK now.  The HDD has also stopped being 'busy'.  There must have been something there stopping Norton from launching - perhaps it was Norton that was infected, and the 'nasty' disappeared with the uninstallation?  Who knows!

I also did an online virus scan with Trend Micro (which I think is basically the same as your suggestion Hook, but thanks), and it produced a number of joke .exe files that had been on my machine for ages (even transferred from last machine), which it thought were viruses, so I deleted them to keep it happy.

Thanks for all the help folks, particularly Sean, who came in with some Remote Assistance (so I now have the dubious honour of having been probed by a Welshman!)  

[Lona]

Just a thought Simon.  You use Trillian......
I got a nasty virus through ICQ.  Some of these chat programmes can sneek in a virus or two without you knowing.

Glad you got everything sorted and think of the pleasure you gave Adept

[Adept]

(so I now have the dubious honour of having been probed by a Welshman!)  

Makes a change from sheep I suppose You should try it Clive, its certainly different