This is a computer problem. So, yeah. Serious, effed-up-ness. Just so you know.

Alright, something is wrong with my computer. I did a few Virus Scans via McAffee, and it shows that nothing on my computer is infected [I did this is safe mode, and a normal boot, mind you]. I also tried to push my RAM in, make sure that thats in all the way, and not the problem due to it not being in all the way. Same with all the plugs inside the computer itself.

Now the synopsis...well, my like, I guess desktop, pretty much stops responding. Well, I can use it, but when I, for instance, go to load up a song in Winamp, I can not access the Desktop via Winamp. If I try to, it will freeze, and I'll have to close out Winamp via Task Manager. So I've been having to type in C:\ and go to Documents and Settings/Owner/Desktop for all that. Had to do that with all programs when I need to access the desktop. It just doesn't work. When I start up my computer, it'll work, but like, ten or fifteen minutes after I boot up, my system goes blah and wont let me. Also, AIM...if I even attempt to open up any thing once my system goes blah, it just crashes, and closes [AIM, that is]. So thats a REAL pain. My IE, this is fun too. After my computer goes blah, I have to type http:// before every website I want to go to. I can no longer type just www.armageddongames.net anymore, I have to type http://www.armageddongames.net for it to even respond to anything being in the address bar. My CPU Usage goes through the roof [100% instantly] if I ever close this UpdateXP2.exe process. Dunno about that, prolly the problem. Can't find anything about it though.

So yeah, long paragraph, I know, but roar, this is absolutly bugging the crap out of me. I desperatly need some help here...

How does your computer run if you leave it in safe mode?

The UpdateXP2.exe probably has something to do with the latest service pack for Windows XP IF it's not a trojan or worm. I read somewhere online last week that MS was going to somehow force people to get the service pack 2 update so they will be protected :shrug:

If you think it may be your hardware acting up (which it very well could be), you may wanna try running a Live Linux CD that you just boot from and see how that works. It will leave your Windows system in tact.

This is my suspicion. (http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=87955&VName=WORM_SDBOT.BBP&VSect=T) It is relatively new, how old are your virus definitions? If it slipped through your virus scanner undetected and your definitions are pretty new, your antivirus is probably compromised.

Start here and follow it to the letter. (http://www.broadbandreports.com/faq/8428) If it turns out you have more than you expected, you are probably r00ted. The solution is a friend named fdisk and his cousin format. The protection is running an antivirus and keeping its definitions current, along with a software firewall (which would have started screaming when this bad boy wanted to phone home). NAT routers are nice as well.

*edit* Also McAfee is the worst virus scanner on the planet. Computer Associates bought it and almost named it "Computer Associates Virus Scanner", but after they realized what a pile they had purchased they decided not to tarnish their brand with it.

I have never seen a computer that got along well with McAfee. In fact, there is a known issue with its buffer overflow protection that prevents .NET applications from displaying text on their windows. Every computer I have touched that ran the McAfee security suite ran better once I replaced it with AVG.

There are several free antivirus programs available, I recommend AVG (http://www.grisoft.com/doc/1).

I had a feeling that UpdateXP2.EXE was the problem. So I checked out the System32 folder, and sure enough, there it was. So I busted it, then I headed over to the regedit, looked for all the registries that the first link showed me, busted all of them that I could find. So far, my computer is doing fine. No random deathness yet, so yay. ^_^ Thanks Atma. You pwn.

I'd do some scanning young stud. The virus is a backdoor and it is likely you have been rooted.

I got rid of the UpdateXP2.exe manually, but I still have two HIGHLY suspicious looking processes. "taskbarmngr.exe" not to be confused with "taskmngr.exe" which is the offical windows one for the Task Manager. That, and "dumpreg.exe", not to be confused with the "dumprep.exe", the windows one when you get that error box thing. Gonna look these up. [Also, is realsched.exe bad? I'm pretty sure its a windows app, but it keeps coming up now, didn't before...strange...sometimes tftp.exe does too, but thats a windows app].

My synopsis of the situation:

taskbarmngr.exe: if running as a windows service, its NOT SUPPOSED TO BE THERE. You may have another app that requires it, but it's unlikely.

dumpreg.exe: shouldn't even be running outside of a command line or safe mode, as that does exactly what it says: Registry dump.

realsched.exe: If you have realone player, ignore this. if you don't, then you may have a problem.

All of these are bad enough, but tftp.exe just proves what i've suspected: you've been rooted. I suggest you start backing shit up.

(Side note: I think I got hit by this myself....but whomever tried to get through got slammed by all 5 of my firewalls, AVG and the crap known as Mcaffee....and STILL MANAGED TO ICE MY C:\ DRIVE!! Lost everything that wasn't backed up form OCTOBER. fortunately, they haven't tried again.)

MSU you are rooted and if you do not follow the directions at my link it is highly likely you will continue to function as somebody's warez storage and spam zombie.

taskbarmngr.exe (http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_SPYBOT.YY) is dropped by Spybot.YY, a virus.

The only mention of dumpreg I can find is that it dumps your entire registry to a text file. This sounds innocent until we continue further.

realsched.exe is the Real Networks application that schedules updates. It is harmless so long as you want RealPlayer on your system (you don't).

Now, here's the one that worries me: tftp.exe
This is an ftp server and searching for it brings up more viruses that abuse it than I care to list. When this file is "occasionally" running, someone is transfering files to and from your machine without your permission, and it is likely you have no access to the files they are transfering.

On a side note, don't run 5 software firewalls. A software firewall sometimes makes modifications to your TCP/IP stack, and running more than one firewall is a pretty risky venture. If you have a software/hardware firewall combo, you only should have to worry about the things you download yourself and the things you allow through the firewall rules.

I will be blunt in my evaluation. The viruses came through files you downloaded and likely came through some filesharing channel. I make this inference based on a few factors.

First, almost every virus I could connect to the files you have installed has MS security patches that fix the vulnerabilities the virus exploits. This tells me you don't do the Windows Update dance very often (Linux nerds shut up right now. Check Secunia.org daily to see the multitude of patches *nix requires, particularly Red Hat and Fedora.) If you truly are running two real-time virus scanners and 5 firewalls, then I'd guess at some point you didn't update your virus definitions in a timely manner and a rather new virus managed to slip through. Then, lax firewall rules allowed just one connection in. We're dealing with backdoor trojans and that one connection in likely compromised your protection.

I didn't post my link for fun. You need to sit down and spend several hours running scans on your PC to clean this up, and even then there is only about a 75% guarantee that you don't have a rootkit installed. Those are hard to detect and nearly impossible to remove without consequences, as they actually alter your system files. The easiest thing to do is to reformat, though I'd suggest running a few online virus scans just to see what you have out of curiosity :)

Oh and for the heck of it, next time you see tftp.exe running, go to start>run and type cmd.exe (command.exe if you aren't on XP). Type netstat -a and look at the list of IPs and ports. These are all active connections your PC is maintaining. Traceroute some of the IPs and I guarantee you'll have connections you don't know about/shouldn't have.

When you tell someone that they've been "rooted"... what does that mean?
(If I don't ask... I never learn).
<hug> thanks

"rooted" refers to the fact that it is likely he has a virus that performs similar to a "rootkit".

"root" is the name of the god user on a Unix system. The user root has the power to do anything he pleases to the system and it is an important security measure to both never use root as a normal account and to protect it with a very good password. If a hacker gains access to your root account you have lost control of the box.

A rootkit is a way for a hacker to gain rootlike control of your system. I am unfamiliar with *nix rootkits and not even certain if they exist, but on a Windows machine your best bet is to reformat.

A rootkit typically installs itself into your explorer.exe or some other critical system file(s). This makes removal without corrupting your Windows install difficult at best. Additionally, the rootkit hooks many API calls and removes any references to its support files from them so it won't show up in the tasks list, Windows Explorer, a DOS prompt, or any other program that uses API functions to read the contents of the drive. (Supposedly System Internals has a rootkit detector that compares a read of the filesystem using API and driver-level calls to see if a rootkit is intercepting the API calls.)

Once installed, a rootkit is hard to remove. It opens a backdoor to your system and typically the first thing it does is taint any virus scanner running. This allows the remote user to install other viruses if necessary to gain further control of the machine. I was hit by something that killed my Symantec once and that's why I still run an online scan from time to time to ensure I haven't been compromised. That's also why I quit using Kazaa and other filesharing programs; it just got too dangerous.

MSU may not necessarily have a rootkit installed, but the viruses he has include backdoors for remote users to gain rootlike access to the system, therefore he can consider himself rooted. So long as one of these viruses exist, it is possible for a remote user to install more.

Atma... thank you very much for the in-depth explanation. You are so good to us here at the forums and you don't get told "thank you" enough (in my opinion).

thanks hon :)
<hug>

Good luck MSU :)

I ran Ad-aware a few minutes ago, and damnit that thing pwned so many registries, :D. Gonna run some more net virus-checkers to see if I can't pwn them. My computer definatly seems to be running much better now, but my winamp still craps out a bunch, just, opening it up, and I did reinstall it...still acting goofy...I'll see...