My Malware battle story

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Gregthechemist, Dec 27, 2011.

  1. Gregthechemist

    Gregthechemist Private E-2

    First I want to thank MajorGeeks, BleepingComputer and the entire anti-malware community online. You guys have saved me a few times and I can't thank you enough!!

    I felt that I should post my story after a particularly harrowing malware experience this past Christmas day (thanks Santa...). I emerged victorious after hours of lurking through anti-malware forums like this one, and I hope perhaps someone could learn something from my eventual victory.

    Don't do exactly what I did, though, go follow this guide from MajorGeeks:
    http://forums.majorgeeks.com/showthread.php?t=35407

    So, on Christmas day my fiancee calls me over to a dozen open windows of "XP Security 2012" as well as several nonfunctional browsers and applications. Her computer is a Pentium D, 1 GB RAM, running XP SP3 and using Symantec security software.

    Google took me straight to:
    http://www.bleepingcomputer.com/virus-removal/remove-xp-security-2012

    Following the instructions, I brought over RKill, TDSSKiller and MalWareBytes Anti-Malware on a flash drive and ran them in that order. RKill found some processes to crush, TDSSKiller found cdrom.sys was infected, and MalwareBytes repaired a bunch of files.

    After these fixes the computer was booting up fine and behaving normally... except that the internet and CD/DVD were not working. The internet claimed "media disconnected" in ipconfig and the CD/DVD drive no longer came up in explorer.

    So then I was really stumped for a while.

    I finally made it to MajorGeeks.com and felt bold enough to try running the ComboFix - which alerted me that I indeed had rootkit.zeroaccess! Then ComboFix ran and rebooted a few times, telling me that it wouldn't engage all of the repairs until Windows Recovery Center was installed. I brought over the install file for Windows Recovery Center and let ComboFix install it, but even after running ComboFix again, the internet and CD/DVD were still completely nonfunctional.

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    I uninstalled the network adapter (Intel Pro 100 VE), rebooted, and then brought over the files to reinstall it. No luck, still "media disconnected". I spent a while trying to figure out if I could make an XP USB key to repair the drivers or reinstall windows, but every type of XP USB boot gave fatal errors or blue screens. I wasn't feeling confident enough to individually repair drivers in Windows Recovery Center, so I felt pretty stuck and lost.

    Then I uninstalled the CD/DVD drivers, rebooted, and the CD/DVD was back to normal. I disabled/enabled/repaired the network adapter and then, presto!, we have a computer again.

    This is just a case history of an eventual success, not a recommendation or a guide. Good luck and don't give up fighting malware!

    Gregthechemist
     
    Gregthechemist, Dec 27, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Glad to hear you got it fixed. Thanks for sharing.

    What these infections are doing is causing various .SYS files to be infected ( yours was the cdrom.sys driver file which is why the CD/DVD then would not work ) and they also break various services required for internet connections and firewalls to work.

    In many cases, the registry keys are actually deleted and even doing a repair ( like you did ) will not fix them. You have to manually put the entries back into the registry. The problem is that the malware will have changed permissions on the registry keys, making this task much more difficult. You will have to fix permissions first and then fix the registry keys. Your infection may have not gotten to the point where it completely delete registry keys or changed permissions as you started to remove the malware. is your Windows Firewall or other firewall working now?

    Basically the malware is fighting back when you start removal processes and their answer is to break the PC. ;)
     
    chaslang, Dec 28, 2011
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds