Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Very Nasty Virus/Spyware 3

Status
Not open for further replies.

mKeller10

Technical User
Jun 27, 2010
3
US
This is Windows XP SP3. I have encountered an extremely nasty virus/spyware situation and everything I have tried has produced some results but not enough to straighten out the machine. The malware/virus occurred under a user with administrative rights. This user does alow for a boot up but the system is not very functional. Most icons render an "Application Not Found" message or a "Select the Program to Opwn This with" window with a list of choices. There is the standard administrative login that, while not perfect, does allow me to perform some analysis and take some corrective measures. From that login I have run MalwareBytes which caught close to 80 things, then I ran SuperAntiSpyware which caught about another 15, then I ran Spyware terminator which caught another 4 and then I ran an Avast scan which also caught four items. After this I tried unsuccessfully to implement several previous restore points but none of them ran successfully. The restore point I created today before trying to run the older ones did restore properly. I ran Combo Fix which caught a RootKit and rebooted and then finished upon reboot. I then rebooted and logged in under the other login but all the corruption characteristics are still there. I tried to download ComboFix and run from this login but the icon functions like all the other corrupt icons, producing a "Select the Program to Open this with" window. I am looking for suggestions, ideas, assistance before I just install a new drive, lay down a fresh install, grab the files I need off the old drive, and move on. I would like to fix this if at all possible. Thanks much for any assistance!!!
 
You have pretty much taken all the corrective measures, except one, to get rid of all RESTORE POINTS, as that is a place where some malwares hide...

after cleaning out the RESTORE POINTS, you could attempt a repair installation with a XP SP3 CD, and if that fails then do a complete clean install and recover the data from the affected drive...

How to Perform a Windows XP Repair Install



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
I assume you're trying to straighten out this operating system by running MalwareBytes, Avast, etc., which are all installed on that machine.

Bear in mind that you are spending time (and possibly money) on trying to repair a system which may never be quite the same again, even if you manage to get it squeaky clean...

I'd remove the hard disk from that machine and attach it as a secondary drive to another PC with a known clean operating system. Run that machine's antivirus and let it scan the secondary (compromised) drive. Use something like Antivir's Avira, for example.

When you try to clean a machine using its own antivirus system, the malicious code is often clever enough to hide itself, transmogrify, or just plain switch off or corrupt whatever you have installed to clean it.

ROGER - G0AOZ.
 
Both very good advice. Thank you very much. I hadn't thought of the restore points. I am really reluctant to spend time repairing (a repair install) the operating system because I really feel that the environment is so flawed at this point it will not really ever be clean. I was intending to put a new drive in there, lay down the operating system, hook the old drive up, run some corrective tools again on that drive from the new drive, see how that goes, and grab the documents, email, etc. from the old drive that are needed to go forward. Now here's a followup question. I would like to wipe out the bad drive with a reformat and repartition with different parameters and then clone the new drive back onto the old and reuse it. Will a repartition with a different sized partition and a reformat clean that drive of everything that might be lingering? Sounds like a stupid question but this thing is so nasty and it has me a little spooked!
 
Your tale of woe is a classic example of why no-one should ever use there PC with Administrator rights (but switch to admin when necessary).

Repartitioning a drive & re-formating will not necessarily destroy all the data.

There are a number of disk wiping tools what will ensure that the drive is fully over written.

my advise would be to down load one of the many live Linux toolkit CD's

Most of these also have Antivirus Software (complete with online definition updates) with the advantage that any compromised files on the host machine will not be able to run & re-infect the system.

 
Yes IPGuru, I am well aware of the issues with login with administrative rights. I have 50 machines at work, only four of them have administrative rights. Three of the four users are very careful, but on the fourth machine, every 3 to 6 months it requires major attention. You are definitely preaching to the choir here. Thanks a lot for the advice on the reformat. I will look for some tools to assist with the wipe out of the drive. Thanks very much for your post and for the others as well.
 
Three of the four users are very careful, but on the fourth machine, every 3 to 6 months it requires major attention.

That says it all :)
My guess is it is the usere that needs "Attention" :)

To be honest I expected my mention of the "L" word to get me lots of trouble.

For wipeing the drive any live Linux should include dd which will do the job just fine
from a root command prompt.
Code:
dd if=/dev/zero of=/dev/sda
This assumes that the disk to be wiped is /dev/sda. for safty I would not have any other hard disk connected.

dd can also be used to make a drive image if req.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top