ohnoohno

The other day my computer was running a bit slow so i went in to the startup msconfig menu and started cleaning out all the nonsense. I did this, restarted, went back in, and noticed that itunes.exe was still checked, and after a closer look saw that it was sitting in my system32 folder. Not a great sign, so I went on over to a start-up list database, searched itunes.exe, and sure enough itunes.exe in the system32 folder is the result of all kinds of viruses and evilware.

I scanned my PC up and down using probably a dozen anti-virus/spyware scanners, and the most that ever came up were a few tracking cookies. (I always keep my A/V definitions up to date, and have my firewall set pretty tightly).

All I know is that the file doesn't belong there, and it is doing something (it shows up as a running process always using 2-10% of my processor power), although god only knows what. I'm sure it isn't good.

Ok well here's where it gets fun, not for me though. When I try to end the process itunes.exe, it shuts my computer down. Very violently too I might add, no other programs have a chance to do anything or close themselves out.

The file is listed as hidden, system, read-only, and it does let me delete it. Then it shuts my computer down, when i restart it my computer shuts down before windows can even finish loading. I restore itunes.exe, and it's fine again. Same thing happens when I tried to quarantine the file. If that wasn't bad enough, when I try to boot into safe mode...computer shuts down.

I searched my registry looking for something, anything, that was calling or even referring to itunes.exe...nothing. Which leaves me to think that another program tries to load the itunes.exe and when it can't, it throws a temper tantrum and shuts me down.

So after hours of repeatedly playing around with this thing it finally occured to me that if something was forcing a shut down, it had to be creating a system event saying what program was doing it. So I killed itunes.exe, restarted, went into event handler, opened the last entry and it read: "The event logging service has been started." The entry right before it, a minute or so earlier when i had killed itunes.exe read: "The event logging service has been stopped."

At which point I collapsed into a heap sobbing and admitted that this thing is simply smarter than I am, it wins. I don't even know where to start here, but any help would be greatly appreciated.

Basementgeek

Hi ohnoohno :

Your are probably correct, you got a "nasty"- Could be WIN32.RBOT WORM

Here is the place to start on it. Please follow all the directions:

http://www.techsupportforum.com/secu...kthis-log.html

Please do not post your HJT logs here! They are to be posted in the HijackThis Log Help forum

BG

ohnoohno

I'd taken care of those already, I wasn't exagerrating when I said I must've run a dozen anti-virus/spyware scanners. The one thing I was unable to do was run them in safe mode, since I can't currently boot into safe mode without the computer restarting.

I've been running hjt every step of the way and saving the logs, and am somewhat familiar with what should/shouldn't be on hjt logs...there isn't anything there calling up itunes.exe, and nothing terribly suspicious.

That's the worst thing about this little monster, I have a pretty good idea what I'm doing in terms of cleaning these things out normally, and it's like the damn thing is one step ahead of me no matter what I try.

Basementgeek

ohnoohno :

I still recommend that you follow my instructions.

This forum is for General Computer Security questions. Your question is for a specific fix and it is not done here.

I sure you will be helped, following the link I gave you.

BG