Struck down by nasty and clever virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by clarky666, Sep 9, 2009.

  1. clarky666

    clarky666 Private E-2

    Hi folks,

    Long time reader but first time poster. On at work just now so will keep this brief as i can.

    Last night i got struck down with a virus which i haven't seen before.

    Started off with usual malware signs in that it was re-directing Firefox and defaulting any google searches to other sites. No big deal i thought as i've had this before and usually managed to solve it in a timely manner. However this has manifested into something worse which i found out when trying to fix it.

    It seems the virus(s) has screwed with my group policy or local admin right in that the little bastard blocks and terminates the back ground services associated with almost every anti virus and malware program i've tried. It then also blocks them from being manually restarted via services.msc saying i don't have sufficient access levels to perform the task......very clever.

    Further to this it's removed and greyed out all my system restore points and tweaked my boot.ini so there is no sign of it in my msconfig ! Finally it's also made some change to the BIOS in that the keyboard is rendered totally useless when rebooting so i can't get a sniff of F8 or whatever to try and boot into safe mode. Tried re-enabling USB legacy support but this made no difference.

    So i'm getting a little worried now. I work in IT so i have a limited knowledge of what i am doing and tried to be proactive based on previous experience and other peoples knowledge from posts on here but i'm running on empty now. HiJack this gets about 60% into compiling a log before it self terminates with a similar error about permissions denied so i can't even provide that.

    Fortunately i have personal stuff backed up onto a secondary slave which i've disconnect and tucked away safely.

    Any ideas before i have to format and re-install? It's XP SP2 with automatic updates on and Kaspersky installed with a weekly(ish) run of MalwareBytes Remover and Ad-Aware to be safe.

    Sorry for the long winded post! Any help appreciated.

    Steven.
     
    clarky666, Sep 9, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The first thing you have to do is stop randomly running things. This will not help and will eventually just make every program on your PC be unusable. These infections require very control methodical steps to fix and even then they can leave residual damage behind which could mean a format/reinstall will be require. The infection replaces system files with their own copies and the first step is to identify which system file and repair it. Then steps can begin to try and recover from remaining damage. Please do the below to get started:

    If something does not run, write down the info to explain to us later but keep on going.

    • Do not assume that because one step does not work that they all will not.
    Now download this Win32kDiag and save to your Desktop.
    • Double-click the Utility to run it and and let it finish.
    • When it states Finished! Press any key to exit, press any key to close the program.
    • It will save a Win32kDiag.txt file to your desktop automatically. Attach this log file to your next message.
    See: HOW TO: Attach Items To Your Post


    Now download SysProt AntiRootkit

    This is a ZIP file so unzip onto your Desktop which should create a SysProt folder on your Desktop.
    • Open the SysProt folder by double clicking it
    • Double click Sysprot.exe to start the program.
    • Click on the Log tab.
    • In the Write to log box, make sure to select and unselect the following items.
      • Process << Selected
      • Kernel Modules << Selected
      • SSDT << Selected
      • Kernel Hooks << Selected
      • IRP Hooks << NOT Selected
      • Ports << NOT Selected
      • Hidden Files << Selected
    • At the bottom of the page
      • Hidden Objects Only << Selected
    • Click on the Create Log button on the bottom right.
    • After a few seconds a new window should appear.
    • Select Scan Root Drive. Click on the Start button.
    • When it is complete a new window will appear to indicate that the scan is finished.
    • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Attach the SysProtLog.txt log file to your next message.

    Note:

    To avoid additional delay in getting a response, it is strongly advised that after completing the above instructions that you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Sep 13, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds