Help with vicious virus

Amaru

My mate got a really bad virus on his computer the other day, and he's asked me to fix it for him, instead of giving it in to get repaired. Here's what happened: He was playing internet poker, and a popup came up saying "somebody is trying to access your account details, disconnect from the internet immediately". I'm not sure if this was an internet popup, a firewall message, or something else(my mate was a little dodgy on specifics), and so he pulled the plug out of the wall. When he turned it back on, his computer was ****ed. Intentionally ****ed, not sudden-loss-of-power ****ed. it still starts windows, but inside that, a lot of stuff has been changed.

So here's the problems:
When you access the start menu, it won't show "all programs". They're still there, in the file tree, but it won't show them.
The virus scanner will start, but not scan. It'll freeze up as soon as you try to start it scanning.
Links in the start menu, like to My Computer, and My Network Place, have been renamed to "Folder", and no longer work as link(they don't do anything).
Things like Help & Support, have all gone from the start menu, and when you try start System Restore, the window will pop up, but not start.
You can't access the System Restore Folders, saying "Access Denied"
When you start in Safe Mode, it still presents the same problems, which i find highly unusual.

Anybody have any ideas of what this virus is, or even where to start?

P.S Its also worth noting that my mate has a lot of **** on his computer, so finding out if there's something unusual running from the task list is near impossible. There's about 60 entries in it.

ressem

Could be one of many.

It's almost certainly attached itself to some system critical executables, so safe mode won't bypass it. It probably recognises certain behaviours and programs that might be used to clean it out and counters by closing them.
eg regedit, symantec AV

Many decent antiviruses will allow you to remove the injected code while keeping the working executable. If you choose one like AVG which isn't as well known, burn onto CD, chances are that it can install, tell you the names of some of the memory resident viruses and run a cleanup at boottime. Make sure just to move the files, rather than deleting.

Or if it fails, you could plug in a machine with an up-to-date AV and clean everything in the windows & system 32 directory through a file share. Then start in safe mode and complete locally.

Be warned this could take a while, I saw an office PC on dial-up with 400+ corrupted executables.

Amaru

Or if it fails, you could plug in a machine with an up-to-date AV and clean everything in the windows & system 32 directory through a file share. Then start in safe mode and complete locally.

I'm liking this option, because i've got a laptop and desktop that are both on different AV's with up to date stuff, so how would i go about doing it? and is there any chance my computer could become infected by doing it?

ressem

There is a chance, I wouldn't do it with a critical machine.
Risk is that a virus running on the other computer might be carrying out network scans, so you should make sure that you've all your windows and ie patches up to date, and preferably a firewall running on your machine.

Might be safer to plug in the hard drive into your desktop, in which case there will be no active copies of the virus running.

Keep in mind that this won't remove registry entries etc.

AVG has a free 6 wk version so I would try this first on your friends PC without any of your data at risk.

Amaru

so you should make sure that you've all your windows and ie patches up to date

This isn't really possible, because of the validity of my copy of XP. I do however have a firewall running, and my AV is up to date.

I can't transfer the hard drive to a desktop(i think), because the infected comp is a laptop, so they don't fit into each other? Or am i wrong?

And i'm highly skeptical about how "unknown" AVG is. I got a similar style virus on my own computer, and it cut off AVG too. So i'd need something hardly anybody uses.

I do realise your point about the registry, but i reckon once an AV picks up what virus it is, there should be info about it on the net, so there'll be steps out there on which values to remove.

Either way, how do i hook them up?

Ruu_Old

try hitting control+alt+delete and see if u can find what apps are running, the virus could be draining the system resources, allowing not else to run but itself.

Amaru

I already said that there's so much running that its hard to isolate, but i did do it for 2 that were taking upwards of 60% each at different times. Both turned out to be harmless.

And just like that last virus i was saying, there was nothing running in the task list to indicate that it was shutting down the programs.

Amaru

Also, is there a way to system restore manually from DOS? Because i think this'd sort the problem out completely, depending of course on if there is restore points for before the time he got the virus.

Amaru

*Bumping for advice on how to connect 2 laptops to each other*

Optikus

I wouldnt recommend linking two pcs together to remove a virus, use the infected harddrive in the safe machine as slave. Then you should firstly try all of these free online scanners, scanning the infected drive. Afterwards post your results, if any.

RAV Antivirus
Panda Active Scan
HouseCall

Also downloading the free version of AVG as mentioned, is highly recommended.

Shane O' Malley

Hi,

It sounds more like some really nasty spyware than a virus.

If it was a virus that had reached it payload date, it is likely that the damage is done and you would need to reformat and re-install.

If it spyware, running the pryware from one machine scanning another machine will prob not work either as most of those programs will not work across networks nor will they be able to scan the remote registry.

Best bet is to try and use system restore. If that fails it is very unlikely that the best repair tool will work.

Best of Luck

Amaru

Shane O' Malley wrote:

Hi,

It sounds more like some really nasty spyware than a virus.

If it was a virus that had reached it payload date, it is likely that the damage is done and you would need to reformat and re-install.

If it spyware, running the pryware from one machine scanning another machine will prob not work either as most of those programs will not work across networks nor will they be able to scan the remote registry.

Best bet is to try and use system restore. If that fails it is very unlikely that the best repair tool will work.

Best of Luck

I highly doubt its spyware, because the damage done, and continuing damage, is highly uncharacteristic of spyware. This isn't a popup window, or somebody jacking the homepage, this has attached itself to the critical commands of my system. No spyware i know does that.

And i already said that system restore freezes whenever i try start it.

Shane O' Malley

Much spyware is badly written and i have seen myself on my laptop what can happen. (Had to reformat and re-install)

I have also seen where pop-up blockers and firewalls will cause spyware to freeze up the system as it tries other ways to carry out it's work.

Will the system boot in safe mode (Without networking support) and will it allow you use system restore.

There are also some utilities for running a virus scan from a bootable cd. Some of them are linux based but will still work in identifing if a virus exists and its name. Once you have the name you would have a better idea of the problems you are having.

I don't know of any anti spyware programs that will run from a bootable CD

Amaru

No system restore won't work in safe mode

Shane O' Malley

http://support.microsoft.com/?kbid=310994

http://www.bootdisk.com/bootdisk.htm

Have a look at these sites. May be some help.

I will look for more info when i get home.

Any chance you could give us a list of the running processes on the damaged machine. Is it anyway stable enough to produce a listing.

Is the drive formated under fat32 or NTSC. If it is fat32 you could boot from a win98 boot disk.

If you had a winxp install disk i think you can boot from that to run system restore.

Talk to you later

Shane

Amaru

I could probably post a screen cap of whats running, because i doubt very much that it'll let me run HijackThis. I'll do THAT when i get home!

Amaru

Right, here it is. I don't think you can appreciate the trouble it took to get this picture online, just becuase of this virus.

The left is the top 3/4 of the task list, the right is the bottom 1/2. Its pretty easy to see how where it overlaps

charlo_b

The machine seems to be riddled with adware/spyware....I copped 2 just glancing at the task manager listing.....BPCv2.exe & WebRebates1.exe.

I'd also look into the 2 processes at the top of the list that are taking up 98% of the machines CPU!!!

RonanH

I'm no expert, but the first two processes are swamping your proc. I did a search on the first one and this is what came up click it mentions that process in the solution, maybe it is a place to start. Good luck.

jor el

Man there's a lot of s**t running on that PC. First things I noticed were AOL and Realplayer. That's probably half the battle right there. Realplayer is the most spyware ridden piece of crap I have ever seen. Wipe it out completely and have a look for "Real Alternative" if you need to view streaming media.

AOL, <shudder>, whyyyyyyyy!


I've put a dot beside all the tasks I'd question. Not just that I think they may be spyware but just that I don't think you need any of these.

I see TRAYAP~1 and DATALA~1, I think these are part of the Nokia PC Suite, at least I'm sure I've seen them before and I think they are OK.

Kill all these tasks and then have a look in the registry for them. Run regedit.exe and ususally they can be found under
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Run and also
Hkey_current_user\Software\Microsoft\Windows\CurrentVersion\Run

Delete the strings that contain any of these processes to stop them on the next startup. They can also hide elsewhere. Search the registry for the filename might help.

Amaru

charlo_b wrote:

I'd also look into the 2 processes at the top of the list that are taking up 98% of the machines CPU!!!

I thought the exact same thing the first time i looked at it, but it turns out that this happens with any 2 processes. Like, i'll stop the top 2, and a random 2 other processes in the list will jump to take up about 50/50 each. It'll happen with ANY 2 processes.

Dempsey

Get Adaware, Spybot, MS antispyware. Update them and run them on at a time and they'll find 99.99% of spyware then get AVG, make sure its definitions are uptodate and run that. If any virus cannot be cleaned. Create Rescue disk and use them.

ressem

Sorry, was distracted.

Are both laptops running XP?
Do both have network adapters, cables?
Do you have a network switch available, or 4 port DSL router?

If you've a router then just plug both devices in, the ips will be configured on the same subnet by DHCP.
Allow file and printer sharing on the infected laptop. (control panel/ Network Conn, also under advanced you may need to allow file and printer sharing as an exception under windows firewall)

Use ipconfig to get the ip of the infected laptop. You should be able to access the C drive under \\ip.num.he.re\c$
Try to map it as a drive letter(tools, map network drive) on the uninfected laptop.
The user name and password will have to be those of the infected machines administrator.


Otherwise...
Are both laptops Dells by any chance? With a free external drive bay?
Are you comfortable installing and uninstalling a hard drive from a laptop? It isn't hard with common dells, just unscrew and plug out from the side of the laptop.

might be possible to get a plugin 2.5" HDD drive container to plug the infected drive into your laptop, depending on your laptop dell model.

The preferred option.

MrShadow

a good place to start is to download mcafee's stinger.exe
it should scan for the worst virus' out there.

use msconfig to disable all start up - use the selective start up with no ticks.
if msconfig does not run then create a copy called msconfig.com

but seeing how you have taskmgr working you should have no bother with msconfig.

get hijackthis and run it post up a log of whats set to run and we can give more advice on the next steps.