worm - using shell, freedos kernel, hijacks network

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by atha, Jun 8, 2012.

  1. atha

    atha Private E-2

    I have huge problems the last 2 weeks. Got a virus that mods admin rights, adds a shell, hijacks router and all cellphones and computers connected to it.
    I have no chance to remove it (I have tried all majorgeeks.com methods) nothing works. I cant use cmd, I cant repair. All tasks, programs, commands run thru shell and gets reversed.

    This is what I know about it:

    Adds freedos kernel replacing config.sys with a heavily modded fdconfig.sys
    Mods the mbr
    Adds tons of shadow disks into high memory with himem.exe
    Replaces the BIOS version and modify the system time.
    Adds huge amount of entries in the register.
    Adds delay timers on CD-ROM, keyboard,.mouse, all usb devices
    Grants super admin rights to NT authority. Removes all rights to other users

    Programs I have seen added in the register:

    Windows powershell
    Messenger live mesh
    Messenger live writer
    Java FX

    I write this from memory as my comp is totally destroyed.
    There is basically 100's of added programs.

    This is what I have tried: (that doesn't work)

    Restore or update BIOS from cd
    using any kind of logging/removal tool
    Restore, repair, reinstall from authentic windows cd
    Repair mbr with fdisk using rescue cd
    Using Kaspersky rescue disk via CD-ROM and usb
    Using new ssd disk and new motherboard.
    Hard reset of motherboard.
    Using a usb to SATA adapter to format ssd (worm uses a block device command)
    All this tried with no internet connection.

    Also infected:
    Asus eee 1101ha laptop win7 sp1
    Msi x370 win7 home premium sp1
    HTC desire with Android 2.3

    Main computer:
    Asus sabertooth motherboard
    Win7 home premium sp1 fully patched
    Intel I7 920 CPU

    Before you ask me to use system repair, add logs here. Remember. It doesn't work. All commands, programs and tasks is shelled, redirected and reversed.
    Even cmd, F8 options etc
     
    atha, Jun 8, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    If it really has done all this, you are problem better off formatting an reinstalling.

    It is "registry" and these are normal programs.


    If you wish to try one thing before reinstalling, try the below on your Win 7 PC. Use the boot from Windows installation disc option since you say you have the DVD. If you cannot get to the System Recovery Options menu then reinstall is likely the fastest solution.

    Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

    For 32-bit (x86) systems downloadFarbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems downloadFarbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.



    Option1: Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Option2: Enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    chaslang, Jun 8, 2012
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds