A virus that deletes mp3 files from all drives and then prevents any other programs from running. Task manager is also disabled after this virus has been run. When this virus has done it's work, a window with "Intelligence Resource Program","Cyberbob 33 BX","The French Hacker" as well as a picture of a shady looking character and words saying "F*** the Pirates..MP3..Games ETC!!! is displayed whenever a program is attempted to start.
When you try rebooting a second time, the system resets just before the OS selection screen and then does this on each subsequent attempt to restart.
I have had to open windows from another hard drive just to be able to scan the original drive.
No virus program I have tried detects this file as being harmful nor does any spyware program.

If anyone knows a work around please let me know.

Do a web search for Trojan Defense Suite (TDS). Download and run it. It will take a while but it will solve your problem. Also think about adding a firewall.

Thanks pipemanid, I'll give that a try.

FreqNasty to fix this up will you will need to boot into Windows using the 'Safe Mode' option.

[b]To stop the automatic restarts[/B]
Once in proceed to Control Panel > System. Click on the advanced tab. Under 'Startup and Recovery' click of settings. Remove the tick from 'Automatically restart' and choose ok.

while you are booted in Safe Mode why not just unistall your AnyDVD as well ?? This trogan virus thing you have come accross probably loads as a system service so have a look in the msconfig start-up list as well for anything suspicious.

But one would have to ask. What is the world are you using a copy of AnyDVD from Emule for ? surely not using a cracked version.

If you like/use the program support the author and buy it.

Yea the rest of us support and buy it why can't you??? teach's you for using cracked version $70 is not alot of money for the amount of dvd's you can copy.

Fu*k me, it only cost me $39

No..it was just a version of it. I don't know if it was cracked. The person who wrote this virus is obviously against Anydvd because it is used to copy dvd's. Unless Slysoft releases trojans of anydvd files on emule then you would expect it to be an anti pirate person. In fact, if you goto http://www.vbfrance.com/auteurdetail.aspx?ID=264139 there is a cyberbob33 on there! The trojan was written in visual basic which is what that site is based on.

I still need details on what this trojan changes in the registry. A NTDETECT.COM file needed to be added to the root as it had been deleted which explained Windows not booting. It is difficult to examine a registry which has been disabled by the system administrator.

The best version of it would only come from the developer's website and at 1Mb it would be quicker to d/l it from there than from Emule.

have you tried Ewido trojan scanner & registry mechanic to see if that helps ?

Just my opinion, but, if I had a known trojan on my machine I'd back up my data and wipe the machine. Overly cautious, yes. But, to me it's worth the peace of mind of having a clean install versus HOPING some trojan cleaner actually managed to wipe it out completely. And uh, don't be installing things from an untrusted source such as emule file sharing.

True That! I would have to wipe it, and start over too...Thats the only way I could sleep at night!

Peace and Luv,

DJ Mind

What happens if you back up the trojan to disk then reinstall windows and the reinfect the pc again ?

That'd be why you back up just the *DATA* not any programs. A trojan can't infect your data. And if you're really that paranoid, then you'd probably get all your scanners and whatnot up to date before restoring the data after you do a fresh install. I've been using computers for over 20 years and I've never gotten a virus or trojan. Know the source of what you're installing comes to mind. Scan it BEFORE installing is also prudent advice. But when infected, clean as much as you can, back up the data, and reinstall. That's what I'd do.

It couldda been worse . . . it couldda unleashed the Bobbit Virus on ya . . . this virus disables your hard drive and leaves ya with a 3-1/2" floppy . . .

Here's a list of programs to try to run in SAFE MODE to pick up the worm.
you can find them at www.google.com
Ad-Aware SE Professional
Spybot - Search & Destroy
SpywareBlaster
Norton AntiVirus
update them and run them in that order, twice. they'll get it for you.

a virus, based on the W32.NGVCK virus creation kit. This virus will infect executable files when they are run. The existence of the file UnBlaster.exe is an indication of a possible infection.
Also Known As: Bloodhound.W32.1, W32.NGVCK.4920
Infection Length: 4920 Bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

賽門鐵克公司 所有內容版權於公司所有 法律意事項 隱私保政策 2004年4月29日 賽門鐵克

it will perform the following actions:

1. Attempts to import several Windows functions from various .dll files. These functions will be used later to find and infect files.

2. Creates the file, UnBlaster.exe, in the %System% folder. This file is a copy of the virus.

Note: %System% is a variable. The virus locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. Installs a Windows hook so that it can infect Windows PE executable files when they are executed.

4. Checks the system time to determine whether it should display a message box. The message, if displayed, is written in an Asian language

Ok, got a fix for this...
First, I got the file when I downloaded AnyDVD+serial+crack from Morpheus. I did this because a)I'm thrifty (ok, cheap) and b)I have like 30 tools that each have 1 extra feature I need, and didn't want to shell out the money for another. Anyhoo, lesson learned, lets move on.
This trojan does several things. For one, it deletes every MP3 on your computer. It also deletes every copy of NTDETECT.COM which prevents your system from rebooting. It then adds three registry keys that locks you out as administrator. one is NoControlPanel, another is DisableRegistryTools, the last is DisableTaskMgr. Finally it breaks the executable file association so you can't run any .exe files (directly, more on this in a sec). The program also seems to use a virus as a vector to keep itself installed, although this wasn't a huge problem compared with everything else. Pretty nasty, but fixable.
Ok, by the time you realize you have a problem, your computer probably doesn't restart. I booted off my WinXp CD, did the repair console thing. I issued the FIXMBR command (don't know if this actually had any effect, but it didn't hurt) and then copied NTDETECT.COM from the D:\i386\ folder in to C:\. Now I could boot.
Luckily, I have my textfiles associated with textpad (Helios Software solutions). This meant when I doubleclicked on a text file, textpad opened up. Textpad very handily has a run command which bypasses the .exe's file association. The point is you need some sort of way of executing commands directly.
Now, first thing we need to do is get task manager back under our control. Issue this command:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

(in textpad, the reg goes in the command, everything else goes in the parameters). This basicly changes the DisableTaskMgr key to 0, letting you ctrl alt delete. There's a program in the processes (sorry forgot the name, just try to execute an exe and you'll see it pop up) that seems to be from the virus. Just kill it when it comes up. Now we need to run our virus scanners, ad-awares, etc... F-Prot with the most recently updated file (dated today, 3-18-05) found the virus called W32/Killfiles.H in the trojan program. I'm guessing this infects the MBR and then reinfects it each time the program is running, but that is just conjecture. Delete the file, let it clean everything. Oh yeah, to run it, just copy/paste the shortcut in your start menu into the command line of whatever you are using to issue commands.
Now we just fix the other three problems. To get control of our registry editor, run the following:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

Now, go to get this: http://home.earthlink.net/~rmbox/Ret...y/EXEfix08.reg and apply it by just running it in your command issue-er thing. This fixes your exe problem.
ah, almost there. Now just run regedit, and do a search for NoControlPanel. There should be only one that has a value, but if not, change those too. Set it's value to 0. This requires a reboot to make active. Cross your fingers and restart.
Ok, so that should be it (I think, it was like 3 in the morning when I finally finished.) Just for fun you should re-run all your virus scanners, etc. Everything except my MP3s are back and normal (I Hope)
A comment from me: Ok, so piracy is wrong, but is it really worse than destroying someone's whole computer without any way to back up pictures of their daughter or whatever? Malicious "hackers" suck. I hope they burn in the bottom layers of hell with Jon Tesh.


http://windowsxp.mvps.org/Taskmanager_error.htm
http://support.microsoft.com/?kbid=831787
http://www.winguides.com/registry/display.php/543/
http://forums.techguy.org/showthread.php?p=314796

hahahhaaa, this is some funny $%!t

This doesn't only apply to Anydvd this applies to other files downloaded from emule.

The virus will put a file in your program files folder named xerox.nt. If you have spybot installed you can access the TASKMGR to kill the process that is running (smsdriver...or something like that) then delete the xerox.nt folder.

The above example mentioned using TextPad but I had problems here also, I got an error ACCESS DENIED. But I didn't have it installed originally, so this might be the reason.

and they wonder why I stay away from emule and all those other virus ridden places... thanks for reinforcing my staying totally away from all of that!

I got this downloading a zip file named DEMO!!! So innocent people are getting this also!!!
There are a couple of other steps you need to do:

1. There will be TWO files under Program Files that you need to delete
A. A Visual Basic folder and all contents with a file named 'nctrup.exe' in it.
B. Do a searc for 'nctrup' on your 'C' or 'System' drive and delete ALL files found.
C. There will also be a file named 'restore' with some weird letters (it varies) in your Program Files folder. Delete all of it. If you have Spybot Search & Destroy go to its startup section, and it will show it to you. It should be the only folder that says 'restore'.
D. Do a registry search for 'nctrup' and delete ALL you find. There will be more than a few. When I found one I deleted the head folder in registry that that folder was contained in or a sub sub sub folder of.

E. I had three places in my registry that I had to fix NoControlPanel with a '0' (zero) instead of a '1' (1 is BAD).

F. The names of the backup folders that put this Trojan back on your system are somtimes different or vary some. Do a system drive search for any other filenames mentioned by others here that were kind enough to help. A BIG thank you to those who took the high road and helped out.

Hope this is of some help to others that downloaded a DEMO in good faith from a normally good shareware site. That is one of the problems when someone does something like this, it ends up with a name on a shareware site and hurts innocent people. There is never a reason or excuse for something like this. Coding and distributing a Trojan/Virus/Worm is still illegal and punishable by a hefty fine and jail time. Whoever did this is just as bad as the 'pirates'??? he/she was trying to get revenge on.

IMHO
isepiq

P.S. Almost forgot. Lavasoft Adaware v1.05 (newest one) with todays updates will find and remove a lot of this Trojan. I had to go into the Lavasoft install folder and click on the exe file to get it to run, instead of getting that Trojan window.

Innocent people get a lot of crap on the internet. That's a fact of life. "Chance favors the prepared mind." What I mean by that quote is that *BEFORE* you download anything, make sure your AV, firewall, and spyware software are up to date. Scan the hell out of whatever it is you want to install BEFORE installing it. Scan your system with the spyware software after, as well. When all else fails, it is my experience that it's good to have a fairly up to date copy of a WinPE boot cd handy. Yes, ok, this is beyond the capability of the average user. However, if people took the time to learn a few precautions, we'd probably not have as many zombie machines running around. In any case, it behooves you to know what it is you're downloading and installing and to take the proper precautions before actually installing it.

All that being said, I agree with you that the j@ck@$$ that wrote that trojan ought to be punished by a fate worse than death. These idiots think they have some great programming skills because they can exploit people's ignorance and get them to install it, but, the truth is they are the lowest form of sludge in the computing world. Nonetheless, they will always be out there writing this crap. Hence it's up to everyone to be vigilante about keeping as many machines as safe as they can. It's the price we pay for being a digital citizen I'm afraid.

Just a note: I build and program computers, and ALWAYS do virusscans even on 'safe' downloads from shareware/demoware sites. I also have Spybot and Spyblaster, and TeaTimer and other programs running all the time, not to mention a multi-layered firewall.

One other thing this Trojan did: It messed up the 16 bit msdos run command. You can go to Microsoft and do the fixes. You fix 3 files: autoexec.nt, config.nt, & command.com. You have to expand them from your XP disk into your system32 folder to fix this minor last problem.

Also, running the newest v1.05 Adaware from Lavasoft with newest dat files was what let me into the registry and other things. It IS IS IS worth buying this program.

ALSO!!! It messed up my RETAIL legit copy of AnyDVD even thought he demo said CloneCD DEMO. Had to uninstall it as it cut access to my cd/dvd drives, and before it did that it had me burning coasters of my sons newest Retail PS2 disk that I was trying to make a backup copy of. UGH!!!

So, a SAFE site, a SAFE Demo, Scanned with 3 different programs did NO GOOD. Who needs a mule??? program to get a trojan/virus, hah!

Hope this is of some help.
IMHO
isepiq

With these MP3 files having been deleted - no-one has said they have recovered the MP3s as well as control of their system. If not, have you tried a file recovery program - eg RecoverMyFiles or Handy Recovery - as I think this coupled with the actions detailed above would fully restore things to "normal". Hope this suggestion helps any innocent users.