The Most Evil Virus I've Seen Het

[abferm]

I work at a small computer repair store. Lately we have had several computers come in with a virus that prevents explorer, cmd, and taskmanager from running. Anyone have any ideas on how to fix this?

[Jamo]

You cold try sysinternals process explorer.

try for exapmle fsecure sechue cd, bootable virus scanner.

[abferm]

I've tried Kaspersky's rescue disk. It didn't fix it.

[Jamo]

Well if you want to see running processes and you cant use task manager. You could use metasploit or armitage to use some web attack to get open session and then see processes and possible kill them too.

[charm_quark]

well , i use the Wininternals ERD disk (2005), and use kaspersky virus removal tool, and depending on the situation ubuntu live disks

[digip]

create a bootable windows disk, such as UBCD4WIN, and then remove the offending files, but the nice thing about bootable windows, is you can also use regedit, to repair the registry and remove start files from starting with the computer. Can also edit services while in there from the command line and remove any virii that made themselves a service while in the live windows environment.

Another thing you can try, is booting into safe mode as administrator, and then create a new profile. Be sure to check the default profile first, so that the virus didn't install itself here as well, or it will show up with the new user. Once the new user account is created, boot into it to make sure it works. If its clean and everything is working, take ownership of the old profiles files, and move them to the new account, then delete the old account. This is something you should check with the customer on first, but generally something I do when they don't want to format and reinstall, since that is the cleanest way to fix, since rootkits can hide in device drivers, the damn thing could be hidden vitually any where, including devices(device manager > view> show hidden devices, and you actually get a larger list for software/kernel mode system drivers and such, like IPv6 extensions that can be disabled, virtual ports, etc).

Edited May 27, 2011 by digip

[pitchie]

Try Combifix:

http://www.combofix.org/

We had a similar thing recently and it worked a treat.

--pitchie.

[Remotesh]

Im assuming that this also prevents safe mode from running, or you would have already done that,

Then run a usb install of Spyware SnD or ClamWin AV (or both!).

You can always run an ubuntu live cd then run an AV.

You could also use Trinity Rescue Kit. (Personally I love this.)

Link: http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT_DOWNLOAD

-Remotesh

[P@c_M@n]

It sounds something like a virus i have removed before called SecurityTool. I would suggest booting into safe mode and see if you can install the free version of Malwarebytes Anti-Malware, found here:

Malware Bytes

If you can, scan the computer with it and see if it picks up your virus.

If that doesn't work (a long shot), go to the msconfig and remove all entries (in safe mode). And then, reboot the computer and see if the virus has stopped. If it has, you know that the problem is in the msconfig. Then, gradually readd entries one at a time so you know which entries are the virus entries.

[Netshroud]

My sister had a similar virus on her laptop, but a System Restore killed it quickly.

[abferm]

It sounds something like a virus i have removed before called SecurityTool. I would suggest booting into safe mode and see if you can install the free version of Malwarebytes Anti-Malware, found here:

Malware Bytes

If you can, scan the computer with it and see if it picks up your virus.

If that doesn't work (a long shot), go to the msconfig and remove all entries (in safe mode). And then, reboot the computer and see if the virus has stopped. If it has, you know that the problem is in the msconfig. Then, gradually readd entries one at a time so you know which entries are the virus entries. [/Quote]

It is not SecurityTool, I have dealt with that before. I regularly use Combofix and Malwarebytes; between the two of them they catch almost every virus I have come across. What makes this bug so bad is that explorer and taskmanager are disabled in regular mode and safemode, and CMD doesn't start in safemode with command prompt, making it impossible to run these tools or msconfig. I was able to fix the problem by booting an install CD, pressing ENTER for install, and then R for repair. Now I am running Combofix and Malwarebytes to remove the viruses before they can ruin the new Windows files.

[Infiltrator]

Install AVAST and schedule it to do a pre-boot scan. Its safer than trying to remove it while windows is still running. Once you have installed Avast, head over to his URL http://www.avast.com/en-au/download-update to download the latest virus database definitions for it and restart the computer.

This is one of the features I adore about Avast.

[sablefoxx]

Yeah that doesn't seem like a very mean virus. You can prbly just boot into safe mode and modify the Group Policies or regkeys to re-gain access.

On a side note to virus authors don't forget to disable safe mode by patching the NTLDR like so:

# Python 2.x Code
import os
import mmap

def patchNtldr(ntldr = 'C:\\ntldr'):
    file = open(ntldr, 'r+')
    size = os.path.getsize(ntldr)
    map = mmap.mmap(file.fileno(), size)
    map.seek(1915)          # Jump to offset
    map.write_byte('\x90')  # NOP Sled, whee!
    map.write_byte('\x90')
    map.write_byte('\x90')
    map.close()

if __name__ == '__main__':
    patchNtldr()

Edited May 29, 2011 by sablefoxx

[Infiltrator]

Yeah that doesn't seem like a very mean virus. You can prbly just boot into safe mode and modify the Group Policies or regkeys to re-gain access.

You could try that, that's one way to enable but what if the virus has been designed to revert this process. Then the only way to fix would be by removing the virus or reinstalling Windows altogether but that would be the last resort.

Edited May 29, 2011 by Infiltrator

[Jason Cooper]

My advice to people who have an infected machine is to reinstall from scratch. Install the OS then your anti-virus and update both. Then install your other software and data (remembering to scan everything you are restoring from a backup.) It takes a while, but you are much more likely to have a clean usable machine at the end than trying to remove malware yourself.

It is a bit harder for you as it isn't your machine, so you would probably have to check with your customers that they are alright with the re-install and that they have backups of all their data and software.

[charm_quark]

well i forgot to mention, if the machine log's in , you can use the win+u to open utilities then press help it will , then open internet explorer >> then explorer then cmd

@ sablefoxx: very interesting that is

[abferm]

For those of you who didn't read post #11, I could not run anything even in safemode. I ran a repair from an install disk so no data was lost and used Combofix to find the responsible files before they were reactivated.

Edited May 29, 2011 by abferm

[Infiltrator]

For those of you who didn't read post #11, I could not run anything even in safemode. I ran a repair from an install disk so no data was lost and used Combofix to find the responsible files before they were reactivated.

Another thing you can try is, disconnect the hard drive from this computer and connect it to a spare computer as a slave hard drive.

Make sure the antivirus on the spare computer is up to date, before connecting the slave HDD.

Once the slave HDD is connected, run a full virus scan and backup all the data you can from it and reinstall Windows from scratch. That's what I would've done.