I have a horrendous virus issue with a machine I'm working on. I will list the steps I have taken so far and information on what I have seen. I am really curious to see if anyone has seen this and knows what is going on for me.
Machine came in with an os error missing ntoskrnl.exe. Drive was pulled and put into another system and scanned with Symantec corp edition(SAV). Multiple bugbear / keylogger files were found and quarantined. System was deemed to be compromised and will be reloaded. All software was copied off to another machine. Original drive was fdisk'd and system restore from recovery partion was run (Hp Pavillion). OS is XP home. Data was transfered back. Profile data was put back in place, 3rd party apps re-installed and data replaced.
Norton retail 2004 was put on, updated. Symantec bugbear removal tool was run and reported clean. XP firewall enabled. Spybot put on, cleaned and immunized. Machine was returned to customer.
Just a few days later machine was returned with another failed OS error Cx00000015 Application error. This was a blue screen stop error. Pulled drive again, ran full scan, appeared clean SAV found nothing. Windows repair reinstall was run. I received a bunch of registration errors but re-install completed and machine booted to desktop ok and all services appeared to be starting. However machine was appearing to hang and not respond. Taskmgr reported a file dhzzyl.exe was running. Most likely a randomly generated viral process. Killed the app process tree, and it would restart again. Checked registry, found it was set to start in hklm\run. Removed and rebooted system. Process kept comming back. After about 30 minutes of diaging the machine further, the machine blue screened again with same application error.
Bleh, so I pulled the drive, downloaded AVG and ran a scan. It found 2 bugbear dll files in system32 folder and here is the weird part, AVG reported many hidden exe files. filename.jpg.exe The infected files would be cleaned but, after a rescan they were reported to be infected again. I just manually deleted the exe jpg files, possibly the introduction of the virus, deleted the bugbear dll files and the random exe file. Slapped the drive back in, and performed an XP repair reinstall again. Loaded up AVG locally and to my dismay, AVG kept reporting bugbear infection, the random dll files getting generated in the system32 folder. Running sysinternals process explorer, there did not appear to be any abnormal running applications.
If this was bugbear, I should be able to clean it up but I can't seem to. If it was a known virus the source file should have been detected and stopped. The virus must have been residing somewhere in the data that was transfered back to the machine originally because I was personally guaranteed that the machine was not placed back on any network including internet access. The restore partition was scanned with AVG and reported clean. I have no idea how it became reinfected again nor why I can't seem to fully get it cleaned up and stop the continious infection source. I doubt they clicked on these jpg.exe files.
So anyway, I am retransfering the data (programs, data, not windows folder) again and am going to have to reload because the OS is very buggy and having weird dll errors and crashing as well as the apparent continuing bugbear infection. I am assuming somewhere in the registry the virus is getting linked to run, either shell extension or vxd driver, somewhere. Why SAV and AVG cant find the source is beyond me. I have put AVG on the original machine I transfered data to (data having since being removed and now retransfering) and is clean, my workstation where I put the drive originally has AVG and is clean.
I am praying that after I reload, retransfer and update, this infection will be cleaned.
Jason
Machine came in with an os error missing ntoskrnl.exe. Drive was pulled and put into another system and scanned with Symantec corp edition(SAV). Multiple bugbear / keylogger files were found and quarantined. System was deemed to be compromised and will be reloaded. All software was copied off to another machine. Original drive was fdisk'd and system restore from recovery partion was run (Hp Pavillion). OS is XP home. Data was transfered back. Profile data was put back in place, 3rd party apps re-installed and data replaced.
Norton retail 2004 was put on, updated. Symantec bugbear removal tool was run and reported clean. XP firewall enabled. Spybot put on, cleaned and immunized. Machine was returned to customer.
Just a few days later machine was returned with another failed OS error Cx00000015 Application error. This was a blue screen stop error. Pulled drive again, ran full scan, appeared clean SAV found nothing. Windows repair reinstall was run. I received a bunch of registration errors but re-install completed and machine booted to desktop ok and all services appeared to be starting. However machine was appearing to hang and not respond. Taskmgr reported a file dhzzyl.exe was running. Most likely a randomly generated viral process. Killed the app process tree, and it would restart again. Checked registry, found it was set to start in hklm\run. Removed and rebooted system. Process kept comming back. After about 30 minutes of diaging the machine further, the machine blue screened again with same application error.
Bleh, so I pulled the drive, downloaded AVG and ran a scan. It found 2 bugbear dll files in system32 folder and here is the weird part, AVG reported many hidden exe files. filename.jpg.exe The infected files would be cleaned but, after a rescan they were reported to be infected again. I just manually deleted the exe jpg files, possibly the introduction of the virus, deleted the bugbear dll files and the random exe file. Slapped the drive back in, and performed an XP repair reinstall again. Loaded up AVG locally and to my dismay, AVG kept reporting bugbear infection, the random dll files getting generated in the system32 folder. Running sysinternals process explorer, there did not appear to be any abnormal running applications.
If this was bugbear, I should be able to clean it up but I can't seem to. If it was a known virus the source file should have been detected and stopped. The virus must have been residing somewhere in the data that was transfered back to the machine originally because I was personally guaranteed that the machine was not placed back on any network including internet access. The restore partition was scanned with AVG and reported clean. I have no idea how it became reinfected again nor why I can't seem to fully get it cleaned up and stop the continious infection source. I doubt they clicked on these jpg.exe files.
So anyway, I am retransfering the data (programs, data, not windows folder) again and am going to have to reload because the OS is very buggy and having weird dll errors and crashing as well as the apparent continuing bugbear infection. I am assuming somewhere in the registry the virus is getting linked to run, either shell extension or vxd driver, somewhere. Why SAV and AVG cant find the source is beyond me. I have put AVG on the original machine I transfered data to (data having since being removed and now retransfering) and is clean, my workstation where I put the drive originally has AVG and is clean.
I am praying that after I reload, retransfer and update, this infection will be cleaned.
Jason
