locked
resfix32v virus RRS feed

  • Question

  • I some how aquired a virus by the name of resfix32v.exe. Onecare isnt identifing it, is there a way I can remove it, or at least isolate it? It is eating up all of my ram by consistantly opening itself until the computer locks up. I am having to work with the task manager on to keep turning it off as I work. I have found it in D:Windows, and it wont delete.

    Any ideas?
    Thanks-
    Justin
    Friday, December 28, 2007 8:22 AM

Answers

All replies

  • Yes, also picked this up last night.  PC runs really slowly now.  Also keep getting error reports about cxsrrs.exe (in fact that came first).  Last thing I was trying to do was Win Live update - didn't go through and now all too slow to work.

     

    Found this - which I am trying to implement :

     

    http://forums.spybot.info/showthread.php?p=137757#post137757

     

    though waiting for IE to load is like watching paint dry.

     

    pervx.com seems the only place found in a google that has any info - haven't tried this yet due to slow pc but will see...

     

    Help anyone??

    Friday, December 28, 2007 12:16 PM
  • If you were infected while running OneCare, contact support for help with removal *and* to report the failure of OneCare to prevent the infection or detect it.

    How to reach support (FAQ) - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

     

    You can also submit the suspected infection - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1583244&SiteID=2

     

    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.

     

    -steve

    Friday, December 28, 2007 2:31 PM
    Moderator
  • I had It-- you can see it in task manager in the running processes column. it duplicates itself and uses up all available ram until comp crashes.

    1 Boot to safe mode

    2 clean cookies and temp folders then reboot safe mode

    3 start msconfig and dissable all programs in the start menu then reboot safe mode

    4 download eusing free registry cleaner then reboot because your computer will probably crash before you can install it.

    5 clean a few folders at a time in eusing if you can't get them all at once, depends on how fast the comp is.

    6 reboot in safe mode and use SYSTEM RESTORE at least a week back

    7 if this works Dissable sys restore until sure and clean registry again

    8 GOOD LUCK Took me all day Thursday 12/27/2007
    Saturday, December 29, 2007 3:49 AM
  •  

    Hi DonBan, I think I'm having a day like this today, Saturday... I cant gtet rid of it like u mentioned, Prevx isn't helping either, any other ideas???
    Saturday, December 29, 2007 2:37 PM
  • hi,

    i just followed the method posted by DonBan and everything seems ok.

    its definately worth trying.

    many thanks to DonBan for posting this, it was causing me a real headache

     

    Raff5

    Saturday, December 29, 2007 4:15 PM
  • Right! OK, so I only wasted HALF of my day trying every way that I thought I knew how to get rid of trojans... did it like U said and it seems to work now, I am a bright one, ain't I?   

     

    Any idea about why you need to restore? How does this trojan work? I still can't find anything useful about it on the net...

     

    Thanks again DonBan!

    Saturday, December 29, 2007 4:59 PM
  •  

    Oh, yeah, and thanks to you too Raff5, I don't usually follow advise until somebody guinea pigs it for me first...

     

    BTW, I was using Spybot to erase the multiple instances of resfix32v.exe when they came up, this bought me the time I needed to do the downloading and reg fixing. Prevx antivirus promised a fix that doesn't exist as of yet so stuff them... then again, I'm using Avast and Bach Khoa, and neither of them managed to block it for me. Thanks again to Donban too!!!

    Saturday, December 29, 2007 5:12 PM
  •  

    Your ALL VERY WELCOME and I'm

    happy to have helped!

     

    This one pulled my hair out! I wasted my

    day doing what you normally try with

    viruses and trojans but to no avail!!
    I hate using system restore because it also

    holds the infected file or string of code.

    When the normal procedures (virus

    software) don't work it must new! That

    makes it DANGEROUS. I have found that

    cleaning the registry almost always fixes the

    problem if you can catch it fast. ALSO,  I

    forgot to mention when you are rebooting in

    SAFE MODE do it as a hard boot(holding

    power button until shutdown) THIS WAY it

    seems to loose the information in the RAM

    which is normally written to hard drive,

    since this one was copying and duplicating

    the trojan processes.

    The best way to keep out of trouble is to

    have three hard drives, The first and second

    should have an operating system installed

    and a boot manager to use the other in case

    of catastropic failure and the third to store

    all data and programs. This way, you have a

    way to access information to fix the

    problem.

    I feel sorry for all the people who have no

    backup computers or access to the net to

    figure this one out.


    THE SCARY THING IS I THINK THIS

    ONE IS EMBEDDED IN WELL KNOWN

    WEB PAGES or common downloads, file

    sharing, torrents. I really don't know yet.

     

    GOOD LUCK TO ALL! HAPPY NEW YEAR!

     

    Saturday, December 29, 2007 8:30 PM
  • Hi, Donban

     

    I spent the whole of yesterday working on your solution - tried it many many times but this little so and so keeps coming back.

     

    Tried the Prevx (? is that right) virus solution on the web but that doesn't have time to fix - although it spots it, which nothing else has done.  The Presfix32v.exe file sits there as bold as you like in C:\Windows - though you cannot shred or alter it in any way.  It is duplicated by something in registry so a cut and move to a different directory just gives you a file that you can destroy on reboot but another will replace it.  Ditto for renaming.

     

    Can anyone suggest a solution or where I might be going wrong?  Could not restore since all restore points were corrupt, turned restore off and on and can do it now - but obviously I no longer have old points to try.  I had tried restore long before coming to this forum so it was not MSCONFIG related (just in case anyone thought I had not reset the pc when trying).

     

    Someone said they used Spybot to hold the virus off - how?  Is that TeaTimer related?

    Sunday, December 30, 2007 11:45 AM
  •  

    hi colonelsarete,

     

    i was struggling to remove this virus too, i tried the fix by DonBan and found it a complete success.

    however you would need to follow all of the steps exactly (or as near to it as possible)

    i am no expert and give credit to DonBan for the fix, 

    it states that you beleive it NOT to be msconfig related, does this mean you missed this step, or that you just doubt it helped?

    I may be mistaken but this virus causes major problems as it creates multiple instance of a running program (resfix32v.exe) which as more instances are running, your pc comes to a crawl, eventually stopping under extreme load.

    I found that you had limited time to take steps before the pc became unusable and required restarting, a combination of safe mode and the msconfig startup changes bought extra time to resolve this.

    the above fix by DonBan does work, i know first hand, but the steps need following as he laid them down.

    In his fix deleting the file isn't listed, i doubt you could delete a file that is running anyway,

    Do the above fix, which stops it running, then delete the file.

    I am sure you are aware that windows on startup starts other components/programs, this is how the virus is started when you turn on your pc,

    Fix the registry/alter the startup components to stop it from running.

    Then delete it.

    then use system restore to get your back to a stable time (at least 7 days back)

     

    hope that helps

     

    Raff5

     

    Sunday, December 30, 2007 1:12 PM
  • Hi Raff5

     

    Thanks.  I need to clarify:  I followed Donban's tips to the letter, several times BUT could not do a restore - Xp just kept telling me the restoration had failed, something it had been telling me for a few days when I first spotted the CXsrrs.exe warnings.

     

    My reason for mentioning the MSCONFIG bit was that I wanted to make it clear that I had reset MSCONFIG to normal settings before attempting restore since otherwise you just get a warning saying unable to comply since you are in safe mode or similar environment.

     

    The file manipulation was done much later - I had tried Donban's method at least 6 or 7 times and was at my wit's end so tried looking around elsewhere, I know you cannot edit a running prog but desperation does funny things to the brain - I started at 11:30 am yesterday and finally caved in at 04:00 this morning!

     

    I will clarify what I did just in case I have misinterpreted the instructions:

     

    Boot to SAFE mode (where mentioned, always basic safe mode, not network support or command prompt)

    IE delete cookies and temp folders (also deleted ...Temp and Temp Internet folders in subfolders of Docs and Settings - where XP would allow, if it would not, deleted contents)

    Emptied recycle bin

    Hard boot (using power off, not on screen) and wait until system still/screen off etc to Safe Mode

    Run MSCONFIG

    Selective startup - clear all checkboxes

    Hard boot to Safe Mode

    Run Eusing and clean all registry items - starting with HK Local and working down the list - could not do the lot at once since virus would crash pc so had to do them one or two at a time

    Question here: DO YOU BACKUP THE REGISTRY IN BETWEEN USING EUSING OR DO YOU JUST CHECK WHAT YOU CAN IN THE TIME YOU HAVE, EXIT THE PROG AND HARD BOOT.  IF YOU DO BACKUP - SHOULD YOU RESTORE IT WHEN YOU GET BACK INTO EUSING?

    Once all done, hard boot to Safe Mode

    Try a restore - NB THIS IS WHERE I WAS STUFFED, SINCE HAD NO VALID RESTORE POINTS

    Disable system restore if successful

    Hard boot to Safe Mode and clean registry again.

     

    Have just seen something about BartPE and its ability to give a clean boot to enable virus software to clear rootkit infections (Prevx reports it as a rootkit infection)

     

    Any help greatly appreciated.

    Thanks again

     

     

    Sunday, December 30, 2007 1:38 PM
  •  

    hi colonelsarete,

    i would not backup the registry, i would just scan it and repair what it finds,

    Restart as many times as it takes to get all of them done.

    If you have no valid restore points then you cannot complete the final step.

    I am not sure what the implications of that are as i just ran through all the steps without pausing to see how things were going, not until the end when it was complete, and fortunately i was virus free.

    i was able to get the registry scan and fix done in 2 attempts. i did run it a 3rd time just to make sure but it didnt find any errors to fix.

    whilst searching i found another possible fix, this fix has not been tested by myself so i cannot comment, but it may be worth you giving it a go.

     

     

    http://forums.majorgeeks.com/showthread.php?t=147034

     

    let me know if it helps at all, i'm afraid i dont know that much, just grateful to guys like DonBan, who do and post info i can use on forums like these.

     

    raff5

    Sunday, December 30, 2007 2:03 PM
  • Hi all

     

    I am actually starting to be amused by this virus...

     

    Just a little pointer for those with decent restore points - I Googled and downloaded BartPE to create a PE disk (with the virus active I had  to install, reboot, run and save output as an ISO reboot and then write disk from ISO).

     

    With this disk (my instructions will be clear once you have installed the prog) and F2 to go into BIOS on a reboot so that you can set your CD/DVD as first boot device, you can run up a basic OS environment that will allow you to use Run.

     

    With the browse command  you can then hunt out your various anti-virus progs, Eusing's reg cleaner etc and run them at your leisure, since ResFix32v hasn't been triggered.  Presumably you could then reboot without this disk and come in at the latter stages of Donban's method, ready to sort out restore points - as I said, my restore points were shot and so this did not work - try it though, because a PE disk is something we should all have!!

     

    Hugs and ice-cream

    CA

    Sunday, December 30, 2007 10:58 PM
  • Thanks Colonelsarete

    I searched for boot cd's a couple of years ago and found only the ones from microsoft. They were'nt very user friendly. This BartPE looks like the ticket to get us all out of trouble easily.  SEE! Sometimes, the bumps in the road are what makes life interesting!

    Sorry I couldn't have been more help, but you persevered and suceeded. Everyone who tries, also contributes to the rest of us and is GREATLY APPRECIATED.

    Thanks Again Happy New Year
    Donban

    Monday, December 31, 2007 3:07 AM
  • I agree, much learnt through this

     

    Many systems disabled, had to reset via Control panel, Performance and maint, admin tools, services- worth looking out for

     

    Bart PE - fantastic - allowed me to use Cmd prompt where I could:

     

    c:

    cd \windows

    ren sysloader32v.dll munchkin.dll

    del resfix32v.dll

    exit

     

    That's the little so and so seriously stamped on - but not dead.  Running back up gave me huge amounts of time (I am working on that pc now) to run progs and produce HJT and Combofix logs to post up to knowledgeable peeps at forums for them to sort me out.  Running HJT shows an entry near the end (APPInit dlls - or something like that - memory fading as New Yr alcohol kicks in!!) but somewhere around 020 which shows sysloader32v.dll - use HJt to remove and you are laughing.

     

    Thought I had it licked last night, since it does not show in task manager, but one of my virus progs spotted it trying to do something undetected by task manager just a few moments ago-this was before following my own advice and HJT 020ing it.  Been running all day without hitch...Security Cadets forum just sorting me out for safety - belt and braces and all that.

     

    Bart PE has loads of plugins that can be downloaded too - presumably to make the disk you create even better.

     

    Have a good New Year, all

     

    Kisses on the bottom

    CA

    Monday, December 31, 2007 11:41 AM