Questions

what are the odds a virus infected a file backup?

Tags:
+
0 Votes
Locked

what are the odds a virus infected a file backup?

sgtotaku
I have created a partition on my fiancee's computer for all her files, however she has has the same issue twice now. as viruses are not my speciality, i reinstalled her OS (winXP Home SP3). given that the only things unchanged in the set-up are her hardware and partition set-up, and her files themselves, and that the issue poped back up AFTER a full OS re-install, i am thinking it is an infected file. The issue is that windows suddenly can't handle executables, with the exception of explorer.exe. It pops up the "what program do you want to open this file with...* dialog box. what i dont know how to do, is how to find the file and permanently remove it. any help from the IT community would be very useful. and i have lower-mid level IT experience, so dont be afraid to get a little technical with me.
  • +
    1 Votes
    Jacky Howe

    and if it isn't successful try the Mal/Virus removal and scan all drives.

    1. Windows? XP File Association Fixes

    http://www.dougknox.com/xp/file_assoc.htm

    2. Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download the files.

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

    From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Removing malware from System Restore points:

    When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can to re-infect you. It's best to remove them.

    XP
    Press the WinKey + r type sysdm.cpl and press Enter.
    Select the System Restore tab and check "Turn off System Restore".


    Vista
    Press the WinKey + r type sysdm.cpl and press Enter
    Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.

    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

    Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Run this Rootkit Revealer GMer
    <a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

    FAQ
    <a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>

    Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
    In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

    If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

    and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

    reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal or create Batch files.

    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager:

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

    You could also check these registry entries and change the values from 1 to 0 if they are disabled.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"

    If you are still having problems try this.

    Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

    http://www.combofix.org/

    http://www.combofix.org/download.php

    Fixmbr - Repair Master Boot Record and remove Viral activity

    Site
    http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

    Download
    http://www.ambience.sk/experiments/MbrFix.exe


    Download MbrFix to c:\

    Press Winkey + r and type in cmd and press Enter.

    now type cd\ and press Enter.

    now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


    now type MbrFix /drive 0 fixmbr /yes and press Enter.

    now type exit and press Enter.

    Restart the System for it to take effect.


    When all is clear you may need to tidy up the Registry.

    Registry:

    Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

    Cleaner: Windows

    When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

    You don't have to install all of the add ons or shortcuts just the one to the Desktop.

    http://www.ccleaner.com/download

    Edit: fixed a bit

    +
    0 Votes
    1bn0

    My guess is you intended to recommend he try the exe fix first??

    EXE File Association Fix (Restore default association for EXE files)

    I would also add the it is common for some types of malware to modify the exe file association so that the malware gets executed every time you try to run a program. Usually it will run the malware and then run the program you asked for.

    Afte that the rest of Jackys' instruction will let you ensure any remaing infection is gone.

    +
    0 Votes
    sgtotaku

    i really appreciate the help. her computer is the first one i have fixed where the virus has jumped partitions and persisted after an OS reinstall. if i need any more help, i will definitely come here to get it.

    +
    0 Votes
    Jacky Howe

    I put 1. and 2. Running it first will determin whether or not there is an infection or just a glitch in the OS. It may have to be run again when the infection is clear.

    +
    0 Votes
    AV .

    I just went through a virus/malware attack that took me days to remove because the PC was so infected. Task manager was disabled and CTRL-Alt-Del; no known virus software would work. It was a long road back, but what you're saying is pretty much what I did - over and over again.

    I used one site in addition to what you said that I found helpful in finding the viruses/malware. http://www.pandasecurity.com/homeusers/solutions/activescan/ has a free scan that was very helpful in pointing out the location of the problem. If you wanted them to clean it, you had to pay, but for free you could at least see where they were hiding and get rid of them yourself. Spybot did not find everything. I manually removed some things.

    The virus this person had was a fake antivirus mimicking Windows Protection Suite. It took over the whole PC. Almost 200 trojans, malware, etc. I don't think I've ever seen a PC so compromised. There were ports open in the firewall, the hosts file was compromised. Explorer had a long list of special hosts after I ran Hijack This. Lots of malware in the content.ie5 directory that is hidden and even the index.dat files for all profiles on the PC. I can go on, but can't believe how fully compromised this PC was.

    I was impressed with CCleaner. That is a very handy utility, but could be dangerous if you're not careful. It was helpful in removing the index.dat files. I didn't run mbrfix. I probably should have.

    AV

    +
    0 Votes
    Jacky Howe

    to erradicate them all. My best is 31219 viruses. Prior to this it was 748.

    Virus 'Troj/Dropper-EM =31191
    Virus 'Mal/Emogen-G' =5
    Virus 'Mal/Heuri-E' =6
    Virus 'Mal/Packer' =2
    Virus 'Mal/Generic-A' =2
    Virus 'Mal/ZlobJS-A' 3
    Virus 'Troj/Agent-FXB' =2
    Virus 'Mal/HckPk-A'=2
    Virus 'Troj/Agent-GIX' =6

    As you can see Virus 'Troj/Dropper-EM =31191 was the main culprit.

    Ccleaner is a little ripper and I think that it's the safest and most reliable cleaner but if you arn't careful it could be dangerous.

    Mbrfix will let you backup the MBR in case something goes wrong. It can come in handy.

    Sometimes you have to re run the software as other nasties appear as you work your way through removing them. One thing I do know is that there is no fun in cleaning infections but it is a relief when you are finished. Glad to see that you sorted out your problems.

    Edit:

    forgot to add that I sometimes suggest using BitDefender but I sort of stopped as it will only let you use it a certain number of times. Same for the site where you can post your HJT log.

    +
    0 Votes
    AV .

    I've used it in the past through GFI Mail Security and it really catches viruses that mainstream virus vendors like Mcafee don't catch.

    You're not kidding when you say you have to keep running scans. I never realized that there was a limit on HJT logs. Incidentally, HJT, would not remove my host issues from IE because my host file was hidden and I had to take ownership of the folder it was in. The virus actually hid my hosts file and replaced it with a host.new file with 0 bytes.

    AV

    +
    0 Votes
    Jacky Howe

    nasty critters out there. If the OS is responding really slowly I normally Slave the drive to another System and then run the scans. When I'm happy with the results I return the drive to the System that I removed it from and run all of the scans again. It can be very time consuming but if I have the infected System in my workshop I can do other things while it is being disinfected.

    That sounds strange for the hosts file and having to take ownership as well. What will they think of next.

    +
    0 Votes
    AV .

    You can definitely overcome a lot of possible issues doing that. I tried every virus software out there and couldn't get any of them to update on the PC. The services wouldn't run.

    I think creating a slave drive would have taken a lot less time. I spent two weeks removing that virus, though much of it was just scan time.

    The hosts file change was a first for me. The virus took ownership of the host file directory and replaced the contents of the host file with a list of about 10 domain names. Clearly, it was aimed at their bank account and all domains had the same IP address. I couldn't edit the hosts file as Administrator! The file attributes were SHR and I wasn't the owner of the host file directory.

    How many times have you seen a virus do that? I went into safe mode with network support and was able to take ownership and replace the bad hosts file with a basic one. After I did that, HJT was able to clean all the bad hosts out of IE. Phew!

    Nasty critters is right. Here is my takeaway from the experience:

    Viruses will now attack your hosts file;

    Ports in your firewall might be opened, especially if you use Windows Firewall.

    Always check your content.ie5 directory. Its a hidden directory so you have to manually type the path. Why is this directory there to begin with? Its a place for viruses to hide. Smitfraud was hiding here on my infected PC.

    Your index.dat files have links to bad places. Something like CCleaner can delete them, but you can't manually do it because the file is in use.

    I think that viruses have stepped up to a new level.

    AV

    +
    0 Votes
    Jacky Howe

    As time goes on the Virus writers are getting more devious with what they do and can achieve. I agree that they have stepped up a level. It's a battle sometimes to keep up with what has happend to an infected System. I take my hat off to the writers of software like MBAM and ComboFix. I don't know where we would be without them but it wouldn't be pleasant.
    It's a long drawn out process to remove a lot of them manually but if you are persistent and have a lot of patience you can normally get on top of them. It can save a lot of time if you can find out what the infection is and then do a Google for removal instructions.

    You are a very patient person and I thank you for the vote of confidence and the tips.

    +
    0 Votes
    sgtotaku

    is that the issue takes time to appear after the OS re-install, and because the computer is not under my supervision, i have no idea what happens on it before the virus strikes. also, combofix is a new program for me, i have no experience using it, so until i get some experience with it on a Virtual Machine, i'm a little leery about using it. i know all too well what happens when an inexperienced user messes around with powerful utilities in Windows.

    my main goal is to figure out the best way to trudge through her large amount of files to isolate what is causing the issue. she initially had MSA.EXE, which is the main trojan for the "microsoft antivirus" trojan. i backed up her files and did a full system wipe. 2 weeks later, exact same symptoms on the new install, so i did another full system wipe, again, keeping all the files. it's been about a week, so i am hoping that the issue is non-existant. and i have also boosted the heuristics on the antivirus that i gave her.

    +
    0 Votes
    Jacky Howe

    I have recently had to use ComboFix for a stubborn Virus but it has been a long time since I have had to use it and I hope that it is longer still until I use it again but it was painless. That goes for all mal/AV software. I just followed the prompts and it killed the infection.

    Where did you Backup the files to, did you scan the Data after you backed it up.

    How did you remove MS Antivirus.

    +
    0 Votes
    sgtotaku

    i partitioned her main HDD into 2 partitions, one for her OS and apps, and one for her files. I also redirect the my Documents files over to the file partition. after the files are put there, they are scanned by AVG Free, and (i hope) the manual scan on Avira AntiVir Personal. and before you mention it, i know that the problem is NOT caused by the 2 antiviruses.

    as for removing MS Antivirus, i re-install the OS because i dont have all the tools to remove it properly, and by the time i'm told, the virus has taken hold in the OS. on MY dual-boot computer, i got lucky and caught it before it could do any damage.

    +
    0 Votes

    OK

    Jacky Howe

    When I read your first post I thought that you were asking how to disinfect the System. eg: what i dont know how to do, is how to find the file and permanently remove it.

    The instructions that I provided in my first post will allow you to do this by scanning all of the drives. MalwareBytes will remove this infection. Normally I would run MBAM, Spybot and Gmer in that order. The rest is added information to get around obstacles that may prevent you from running Apps or removing the infection.

    If all that you need to know is the chance of an infection infecting Backups the answer would be a very good chance. Especially as the Virus wasn't removed in the first place.

    Formatting your hard drive DOES NOT erase hard drive data, Windows erases only file records, not file contents, the free space of your hard drive is full of "deleted" files that can be easily recovered. Even after you format a hard drive in Windows XP, old files can still be accessed by many data recovery programs and free utilities.

    An index of files is maintained for the hard drive, telling it where files are stored. When you install a file, it is scattered around the hard drive in bits and pieces. On your command to open the file, the hard drive checks the index, then gathers the pieces and reconstructs them.

    When that file is deleted, the links between the index and the file disappear. That tells your system that the file is no longer needed and that hard drive space can be overwritten. But the deleted file remains on your computer. A Virus can withstand a Format. If you go to that extreem you are better off removing the Data and wiping the drive with DBAM or Disk Wipe after you think that the Data is free from infection.

    How Did You Get MS Antivirus?

    Freeware or shareware: Did you download and install shareware or freeware? These low-cost or free software applications may come bundled with spyware, adware, or programs like MS Antivirus 2008. Sometimes adware is attached to the free software to ?pay? developers for the cost of creating the software, and more often spyware is secretly attached to free software to harm your computer and steal your personal and financial information.

    Peer-to-peer software: Do you use a peer-to-peer (P2P) program or other application with a shared network? When you use these applications, you put your system at risk for unknowingly downloading an infected file, including applications like MS Antivirus 2008.

    Questionable websites: Did you visit a website that?s of questionable nature? When you visit malicious sites that are fishy and phishy, badware may be automatically downloaded and installed onto your computer, sometimes including applications like MS Antivirus 2008.

    http://www.411-spyware.com/remove-ms-antivirus-2008


    You have now been provided access to the tools with instructions so run MBAM, Spybot and Gmer in that order to check for a current infection and if it happens again:

    Checking the sites visited in the history is normally a good clue as to where it came from if you are using IE.

    IEHistoryView v1.37 - View Visited Web Sites of Internet Explorer

    http://www.nirsoft.net/utils/iehv.html


    It is never a good idea to run two antivirus scanners simultaneously. However, if only one of the scanners has real-time protection enabled and the second scanner is used only to manually scan selected files, they may possible co-exist peacefully. In some cases, an antivirus scanner will not install if it detects another antivirus scanner already installed on the system.

    +
    0 Votes
    sgtotaku

    when i get the chance to get over there on friday i will run the scans and let you know the results. as for checking the history, she uses either firefox or chrome, depending on what i tell her is OK to install. and she got MSA probably from a combo of all three sources you mentioned.

    And i appologize if my initial inquiry was not very clear.

    as for the dual antivirus setup, AVG runs the realtime scan and the e-mail scanner, where avira, by default, does not run real-time, yet provides rootkit scanning on a manual scan. i have been testing this setup on XP SP3 and Vista for the better part of 4 months without any issues. and i can assure you that i would never try to run something like McAfee and Norton together.

    +
    0 Votes

    LOL

    Jacky Howe

    all three sources. And there is no need to apologize I should have rememberd the heading.

    I don't use either firefox or chrome so I can't really suggest anything. Another peer may be able to help you there.

    You might suggest a scan and a check for updates at least weekly with both Spybot and MalwareBytes. I'm not a fan of McAfee or Norton for home use.

    I have been using Avast which is free for home use on my five networked Systems for months now without any problems, there is no impact on performance either. You only have to register it and then re-register again annually. Set it and forget it. It has Rootkit detection from GMer built in.

    This is when I switched over.

    <a href="http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=263854" target="_blank"><u>Discussion</u></a>

    <a href="http://www.avast.com/eng/avast-free-home-antivirus-antispyware.html" target="_blank"><u>Avast-Free-Home-Antivirus</u></a>

    Thanks for the Thumb.

    Rob

  • +
    1 Votes
    Jacky Howe

    and if it isn't successful try the Mal/Virus removal and scan all drives.

    1. Windows? XP File Association Fixes

    http://www.dougknox.com/xp/file_assoc.htm

    2. Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers. If you can access the Internet use it to download the files.

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

    From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Removing malware from System Restore points:

    When your infected with any trojans, spyware, malware, they could have been saved in System Restore and can to re-infect you. It's best to remove them.

    XP
    Press the WinKey + r type sysdm.cpl and press Enter.
    Select the System Restore tab and check "Turn off System Restore".


    Vista
    Press the WinKey + r type sysdm.cpl and press Enter
    Select the System Protection tab. Untick the box next to Local Disk C: and any other drives and click on Turn System Restore off.

    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

    Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Run this Rootkit Revealer GMer
    <a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

    FAQ
    <a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>

    Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
    In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

    If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

    and one to turn it off but a System restart is required. Place a Batch file on the USB to turn it off.

    reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


    If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

    Command line removal or create Batch files.

    Click Start Run and type cmd and then press Enter.

    Execute the following commands in the command line in order to activate the registry editor and Task Manager:

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

    You could also check these registry entries and change the values from 1 to 0 if they are disabled.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"

    If you are still having problems try this.

    Download Combofix and rename the executable Combofix.exe to cfix.exe before running it.

    http://www.combofix.org/

    http://www.combofix.org/download.php

    Fixmbr - Repair Master Boot Record and remove Viral activity

    Site
    http://www.ambience.sk/fdisk-master-boot-record-windows-linux-lilo-fixmbr.php

    Download
    http://www.ambience.sk/experiments/MbrFix.exe


    Download MbrFix to c:\

    Press Winkey + r and type in cmd and press Enter.

    now type cd\ and press Enter.

    now type MbrFix /drive 0 savembr Backup_MBR_0.bin and press Enter.


    now type MbrFix /drive 0 fixmbr /yes and press Enter.

    now type exit and press Enter.

    Restart the System for it to take effect.


    When all is clear you may need to tidy up the Registry.

    Registry:

    Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

    Cleaner: Windows

    When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

    You don't have to install all of the add ons or shortcuts just the one to the Desktop.

    http://www.ccleaner.com/download

    Edit: fixed a bit

    +
    0 Votes
    1bn0

    My guess is you intended to recommend he try the exe fix first??

    EXE File Association Fix (Restore default association for EXE files)

    I would also add the it is common for some types of malware to modify the exe file association so that the malware gets executed every time you try to run a program. Usually it will run the malware and then run the program you asked for.

    Afte that the rest of Jackys' instruction will let you ensure any remaing infection is gone.

    +
    0 Votes
    sgtotaku

    i really appreciate the help. her computer is the first one i have fixed where the virus has jumped partitions and persisted after an OS reinstall. if i need any more help, i will definitely come here to get it.

    +
    0 Votes
    Jacky Howe

    I put 1. and 2. Running it first will determin whether or not there is an infection or just a glitch in the OS. It may have to be run again when the infection is clear.

    +
    0 Votes
    AV .

    I just went through a virus/malware attack that took me days to remove because the PC was so infected. Task manager was disabled and CTRL-Alt-Del; no known virus software would work. It was a long road back, but what you're saying is pretty much what I did - over and over again.

    I used one site in addition to what you said that I found helpful in finding the viruses/malware. http://www.pandasecurity.com/homeusers/solutions/activescan/ has a free scan that was very helpful in pointing out the location of the problem. If you wanted them to clean it, you had to pay, but for free you could at least see where they were hiding and get rid of them yourself. Spybot did not find everything. I manually removed some things.

    The virus this person had was a fake antivirus mimicking Windows Protection Suite. It took over the whole PC. Almost 200 trojans, malware, etc. I don't think I've ever seen a PC so compromised. There were ports open in the firewall, the hosts file was compromised. Explorer had a long list of special hosts after I ran Hijack This. Lots of malware in the content.ie5 directory that is hidden and even the index.dat files for all profiles on the PC. I can go on, but can't believe how fully compromised this PC was.

    I was impressed with CCleaner. That is a very handy utility, but could be dangerous if you're not careful. It was helpful in removing the index.dat files. I didn't run mbrfix. I probably should have.

    AV

    +
    0 Votes
    Jacky Howe

    to erradicate them all. My best is 31219 viruses. Prior to this it was 748.

    Virus 'Troj/Dropper-EM =31191
    Virus 'Mal/Emogen-G' =5
    Virus 'Mal/Heuri-E' =6
    Virus 'Mal/Packer' =2
    Virus 'Mal/Generic-A' =2
    Virus 'Mal/ZlobJS-A' 3
    Virus 'Troj/Agent-FXB' =2
    Virus 'Mal/HckPk-A'=2
    Virus 'Troj/Agent-GIX' =6

    As you can see Virus 'Troj/Dropper-EM =31191 was the main culprit.

    Ccleaner is a little ripper and I think that it's the safest and most reliable cleaner but if you arn't careful it could be dangerous.

    Mbrfix will let you backup the MBR in case something goes wrong. It can come in handy.

    Sometimes you have to re run the software as other nasties appear as you work your way through removing them. One thing I do know is that there is no fun in cleaning infections but it is a relief when you are finished. Glad to see that you sorted out your problems.

    Edit:

    forgot to add that I sometimes suggest using BitDefender but I sort of stopped as it will only let you use it a certain number of times. Same for the site where you can post your HJT log.

    +
    0 Votes
    AV .

    I've used it in the past through GFI Mail Security and it really catches viruses that mainstream virus vendors like Mcafee don't catch.

    You're not kidding when you say you have to keep running scans. I never realized that there was a limit on HJT logs. Incidentally, HJT, would not remove my host issues from IE because my host file was hidden and I had to take ownership of the folder it was in. The virus actually hid my hosts file and replaced it with a host.new file with 0 bytes.

    AV

    +
    0 Votes
    Jacky Howe

    nasty critters out there. If the OS is responding really slowly I normally Slave the drive to another System and then run the scans. When I'm happy with the results I return the drive to the System that I removed it from and run all of the scans again. It can be very time consuming but if I have the infected System in my workshop I can do other things while it is being disinfected.

    That sounds strange for the hosts file and having to take ownership as well. What will they think of next.

    +
    0 Votes
    AV .

    You can definitely overcome a lot of possible issues doing that. I tried every virus software out there and couldn't get any of them to update on the PC. The services wouldn't run.

    I think creating a slave drive would have taken a lot less time. I spent two weeks removing that virus, though much of it was just scan time.

    The hosts file change was a first for me. The virus took ownership of the host file directory and replaced the contents of the host file with a list of about 10 domain names. Clearly, it was aimed at their bank account and all domains had the same IP address. I couldn't edit the hosts file as Administrator! The file attributes were SHR and I wasn't the owner of the host file directory.

    How many times have you seen a virus do that? I went into safe mode with network support and was able to take ownership and replace the bad hosts file with a basic one. After I did that, HJT was able to clean all the bad hosts out of IE. Phew!

    Nasty critters is right. Here is my takeaway from the experience:

    Viruses will now attack your hosts file;

    Ports in your firewall might be opened, especially if you use Windows Firewall.

    Always check your content.ie5 directory. Its a hidden directory so you have to manually type the path. Why is this directory there to begin with? Its a place for viruses to hide. Smitfraud was hiding here on my infected PC.

    Your index.dat files have links to bad places. Something like CCleaner can delete them, but you can't manually do it because the file is in use.

    I think that viruses have stepped up to a new level.

    AV

    +
    0 Votes
    Jacky Howe

    As time goes on the Virus writers are getting more devious with what they do and can achieve. I agree that they have stepped up a level. It's a battle sometimes to keep up with what has happend to an infected System. I take my hat off to the writers of software like MBAM and ComboFix. I don't know where we would be without them but it wouldn't be pleasant.
    It's a long drawn out process to remove a lot of them manually but if you are persistent and have a lot of patience you can normally get on top of them. It can save a lot of time if you can find out what the infection is and then do a Google for removal instructions.

    You are a very patient person and I thank you for the vote of confidence and the tips.

    +
    0 Votes
    sgtotaku

    is that the issue takes time to appear after the OS re-install, and because the computer is not under my supervision, i have no idea what happens on it before the virus strikes. also, combofix is a new program for me, i have no experience using it, so until i get some experience with it on a Virtual Machine, i'm a little leery about using it. i know all too well what happens when an inexperienced user messes around with powerful utilities in Windows.

    my main goal is to figure out the best way to trudge through her large amount of files to isolate what is causing the issue. she initially had MSA.EXE, which is the main trojan for the "microsoft antivirus" trojan. i backed up her files and did a full system wipe. 2 weeks later, exact same symptoms on the new install, so i did another full system wipe, again, keeping all the files. it's been about a week, so i am hoping that the issue is non-existant. and i have also boosted the heuristics on the antivirus that i gave her.

    +
    0 Votes
    Jacky Howe

    I have recently had to use ComboFix for a stubborn Virus but it has been a long time since I have had to use it and I hope that it is longer still until I use it again but it was painless. That goes for all mal/AV software. I just followed the prompts and it killed the infection.

    Where did you Backup the files to, did you scan the Data after you backed it up.

    How did you remove MS Antivirus.

    +
    0 Votes
    sgtotaku

    i partitioned her main HDD into 2 partitions, one for her OS and apps, and one for her files. I also redirect the my Documents files over to the file partition. after the files are put there, they are scanned by AVG Free, and (i hope) the manual scan on Avira AntiVir Personal. and before you mention it, i know that the problem is NOT caused by the 2 antiviruses.

    as for removing MS Antivirus, i re-install the OS because i dont have all the tools to remove it properly, and by the time i'm told, the virus has taken hold in the OS. on MY dual-boot computer, i got lucky and caught it before it could do any damage.

    +
    0 Votes

    OK

    Jacky Howe

    When I read your first post I thought that you were asking how to disinfect the System. eg: what i dont know how to do, is how to find the file and permanently remove it.

    The instructions that I provided in my first post will allow you to do this by scanning all of the drives. MalwareBytes will remove this infection. Normally I would run MBAM, Spybot and Gmer in that order. The rest is added information to get around obstacles that may prevent you from running Apps or removing the infection.

    If all that you need to know is the chance of an infection infecting Backups the answer would be a very good chance. Especially as the Virus wasn't removed in the first place.

    Formatting your hard drive DOES NOT erase hard drive data, Windows erases only file records, not file contents, the free space of your hard drive is full of "deleted" files that can be easily recovered. Even after you format a hard drive in Windows XP, old files can still be accessed by many data recovery programs and free utilities.

    An index of files is maintained for the hard drive, telling it where files are stored. When you install a file, it is scattered around the hard drive in bits and pieces. On your command to open the file, the hard drive checks the index, then gathers the pieces and reconstructs them.

    When that file is deleted, the links between the index and the file disappear. That tells your system that the file is no longer needed and that hard drive space can be overwritten. But the deleted file remains on your computer. A Virus can withstand a Format. If you go to that extreem you are better off removing the Data and wiping the drive with DBAM or Disk Wipe after you think that the Data is free from infection.

    How Did You Get MS Antivirus?

    Freeware or shareware: Did you download and install shareware or freeware? These low-cost or free software applications may come bundled with spyware, adware, or programs like MS Antivirus 2008. Sometimes adware is attached to the free software to ?pay? developers for the cost of creating the software, and more often spyware is secretly attached to free software to harm your computer and steal your personal and financial information.

    Peer-to-peer software: Do you use a peer-to-peer (P2P) program or other application with a shared network? When you use these applications, you put your system at risk for unknowingly downloading an infected file, including applications like MS Antivirus 2008.

    Questionable websites: Did you visit a website that?s of questionable nature? When you visit malicious sites that are fishy and phishy, badware may be automatically downloaded and installed onto your computer, sometimes including applications like MS Antivirus 2008.

    http://www.411-spyware.com/remove-ms-antivirus-2008


    You have now been provided access to the tools with instructions so run MBAM, Spybot and Gmer in that order to check for a current infection and if it happens again:

    Checking the sites visited in the history is normally a good clue as to where it came from if you are using IE.

    IEHistoryView v1.37 - View Visited Web Sites of Internet Explorer

    http://www.nirsoft.net/utils/iehv.html


    It is never a good idea to run two antivirus scanners simultaneously. However, if only one of the scanners has real-time protection enabled and the second scanner is used only to manually scan selected files, they may possible co-exist peacefully. In some cases, an antivirus scanner will not install if it detects another antivirus scanner already installed on the system.

    +
    0 Votes
    sgtotaku

    when i get the chance to get over there on friday i will run the scans and let you know the results. as for checking the history, she uses either firefox or chrome, depending on what i tell her is OK to install. and she got MSA probably from a combo of all three sources you mentioned.

    And i appologize if my initial inquiry was not very clear.

    as for the dual antivirus setup, AVG runs the realtime scan and the e-mail scanner, where avira, by default, does not run real-time, yet provides rootkit scanning on a manual scan. i have been testing this setup on XP SP3 and Vista for the better part of 4 months without any issues. and i can assure you that i would never try to run something like McAfee and Norton together.

    +
    0 Votes

    LOL

    Jacky Howe

    all three sources. And there is no need to apologize I should have rememberd the heading.

    I don't use either firefox or chrome so I can't really suggest anything. Another peer may be able to help you there.

    You might suggest a scan and a check for updates at least weekly with both Spybot and MalwareBytes. I'm not a fan of McAfee or Norton for home use.

    I have been using Avast which is free for home use on my five networked Systems for months now without any problems, there is no impact on performance either. You only have to register it and then re-register again annually. Set it and forget it. It has Rootkit detection from GMer built in.

    This is when I switched over.

    <a href="http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=263854" target="_blank"><u>Discussion</u></a>

    <a href="http://www.avast.com/eng/avast-free-home-antivirus-antispyware.html" target="_blank"><u>Avast-Free-Home-Antivirus</u></a>

    Thanks for the Thumb.

    Rob