Friends computer infected with Virus

Gamingphreek · Mar 2, 2009

Hey Guys,

One of my residents (I'm an RA) came to me with a computer problem. He knew he was an idiot and clicked on a popup that said "You have a virus" which then promptly installed a virus.

The first time booted up, a womans voice spoke to him, and the actual antivirus software went ballistic - So he shut it down and pulled the network cable.

I am trying to work on it; however, it is stuck in one of those aggravating logon/logoff loops. I tried a couple tricks in Windows recovery console, but I can't manage to restore anything to its previous state.

Does anyone have any ideas here? I am proficient in Linux - is there a way to edit Windows Registry from Linux?

Thanks,
-Kevin

lxskllr · Mar 2, 2009

I'd use UBCD for Windows. I don't know how to do it in Linux.

mechBgon · Mar 2, 2009

Also, here's a couple of bootable scanning CDs from F-Secure and AntiVir:

AntiVir Rescue System, there's a .ISO, or a .EXE that burns a CD

F-Secure Rescue CD in .ISO format.

Give the system a wired network connection (so it can update virus defs) and boot from CD and let it scan. Between the two, I'd start with F-Secure's.

Gamingphreek · Mar 2, 2009

Originally posted by: mechBgon
Also, here's a couple of bootable scanning CDs from F-Secure and AntiVir:

AntiVir Rescue System, there's a .ISO, or a .EXE that burns a CD

F-Secure Rescue CD in .ISO format.

Give the system a wired network connection (so it can update virus defs) and boot from CD and let it scan. Between the two, I'd start with F-Secure's.

I am out of CD's - is there any chance that I can throw this on a USB Flash Drive and boot from that?

Thanks,
-Kevin

lxskllr · Mar 2, 2009

A lot of things are bootable from USB. Sometimes it's easy, sometimes it's a major PITA. I'd go to the 7-11 and pay their outrageous price for a 5 pack of blanks. The savings to your sanity will make it a bargain.

Gamingphreek · Mar 2, 2009

I tried restoring the registry from back ups from an Ubuntu LiveCD and that didn't work. I think this virus is much more sophisticated than merely modifying userinit.exe or something.

-Kevin

lxskllr · Mar 2, 2009

Maybe backup the data, and do a reinstall. You'll know for sure the problems fixed, and it won't take that much longer than screwing around with cleaners.

Gamingphreek · Mar 2, 2009

Spring Break is 1 week away. I just need to get it serviceable until that point - is there anything I can do?

-Kevin

VinDSL · Mar 2, 2009

Hrm...

My favorite AV software is F-Prot.

The biggest reason I like F-Prot is because it actually removes viruses, not just detect them (which any AV software will do), or quarantine them.

F-Prot has a free DOS version (and a free Linux version BTW).

If I was you, I'd try the free DOS version of F-Prot: http://www.f-prot.com/download...er/download_fpdos.html

That's the only thing I can think of, off the top of my head. The day is young, and I haven't had my coffee yet...

Gamingphreek · Mar 2, 2009

Ok guys - after searching around forever and running a lot of what you suggest - I have come to find that this is a very advanced rootkit virus.

I just need to get this computer working enough for him to use it in class this week. This weekend and following week are spring break - he can reinstall over spring break.

I downloaded BartPE but I don't have any plugins installed - How do I find and remove rootkit virus's?

-Kevin

lxskllr · Mar 2, 2009

Antivir scans for rootkits. I'm not sure how well it does on the removal though, I've never used it for that.

Gamingphreek · Mar 2, 2009

Originally posted by: lxskllr
Antivir scans for rootkits. I'm not sure how well it does on the removal though, I've never used it for that.

How do I get it and run it though? I can't boot into the Windows install - I am reduced to using different LiveCD's of Linux and BartPE.

-Kevin

lxskllr · Mar 2, 2009

If you can compile an UBCD4Win disc, you'll have some up to date antivirus tools. I have an old image from July last year I could give you, but I don't know if the antivirus will cover what you have, or if it'll even work. It's a 631mb iso if you're interested.

Edit:

I'll load my iso in a vm and see how it works if you think you may want it.

Edit2:
I just confirmed that Antivir will update and scan. Whether or not it'll remove your problem, I don't know. There's a new P2P app that can be used between 2 or more people(OneSwarm). I have it installed, but I haven't used it yet. I could get the file to you that way if you're interested. You'd have to download the OneSwarm app also, and I think we can hook up by using Gmail addresses. If you want to try this, we should take it to PM.

http://oneswarm.cs.washington.edu/

Gamingphreek · Mar 2, 2009

Originally posted by: lxskllr
If you can compile an UBCD4Win disc, you'll have some up to date antivirus tools. I have an old image from July last year I could give you, but I don't know if the antivirus will cover what you have, or if it'll even work. It's a 631mb iso if you're interested.

Edit:

I'll load my iso in a vm and see how it works if you think you may want it.

Edit2:
I just confirmed that Antivir will update and scan. Whether or not it'll remove your problem, I don't know. There's a new P2P app that can be used between 2 or more people(OneSwarm). I have it installed, but I haven't used it yet. I could get the file to you that way if you're interested. You'd have to download the OneSwarm app also, and I think we can hook up by using Gmail addresses. If you want to try this, we should take it to PM.

http://oneswarm.cs.washington.edu/

Thanks for all the help - I feel like I may have found the files that were initially infected.

From an Ubuntu LiveCD - I navigated to the System32 folder and did an ls -ltau to list all files and folders by date last accessed. My friend had the problem occur around 4AM he said. There are a series of files that were last accessed at 346AM.

12520437.cpx
12520850.cpx
9B13A86D.plf
access.cpl
igfxrkor.lrc
$ncsp$.inf
noise.ita

I opened a couple of them in hexedit - As of right now igfxrkor.lrc looks suspicious. There are notes for Force Removal of registry values - though I am not 100% sure what I am looking at.

Anybody able to help with this?

Thanks so much for the help already though!!!
-Kevin

lxskllr · Mar 2, 2009

That's getting deeper than my abilities. I wonder if virustotal.com would be able to tell if you uploaded them?

http://www.virustotal.com/sobre.html

mechBgon · Mar 2, 2009

F-Secure is also known for their rootkit detection. If you've gotten any CD-Rs yet, you might try burning F-Secure's rescue CD, giving the system a wired network connection so it can get updates, booting from the F-Secure CD, and running a full scan.

If the Windows installation is bootable at all, you could also boot into Safe Mode and run GMER (http://gmer.net). GMER has its own GMER Safe Mode for extra-super-severe rootkit situations, too.

Personally, by this point, I would've backed up his stuff, nuked the drive with DBAN, and reinstalled his OS and apps while snacking on a large pizza

degibson · Mar 3, 2009

Originally posted by: mechBgon
Personally, by this point, I would've backed up his stuff, nuked the drive with DBAN, and reinstalled his OS and apps while snacking on a large pizza

No kidding! By the time I bother to even bother booting off of a live cd, I'm already at the 'backing up in preparation for nuke' stage. Remember: Nuking = ~4 hrs tops. Futzing with virii can take a lot longer if you let it.

I spend ~20 min fixing a problem before I decide to nuke.

BehindEnemyLines · Mar 3, 2009

Refer to the infected drive:

I have encountered the situation where the Windows logs off immediately after logging on. This is usually due to a changed registry key. You need to first make sure the \Windows\System32\userinit.exe file is genuine fby checking its file properties on the infected drive. You need to check if the registry key is still valid. A friend of mine had his blanked with nothing in it. Now, we need to edit the registry. My method is below:

1. Put the hard drive to a USB enclosure
2. Plug the usb drive into a good computer running Windows XP or Vista
3. From the infected drive: copy the folder \Windows\System32\config as backup
4. Make sure everything in this folder is copied for BACKUP
5. Run regedt32.exe
6. Expand Computer
7. Select HKEY_LOCAL_MACHINE
8. Click File > Load Hive
9. Navigate to \Windows\System32\config of infected drive
10. Select SOFTWARE (there's no extension for this file)
11. Give it a temporary name
12. Under the temporary hive name, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
13. Look for Userinit under Name
14. Double-click that name so that we can change its value
15. Change the value to C:\Windows\system32\userinit.exe, The comma is NOT a typo.
16. Select the temporary hive name
17. Click File > Unload Hive
18. Restart
18. Cross your fingers

Gamingphreek · Mar 3, 2009

Originally posted by: mechBgon
F-Secure is also known for their rootkit detection. If you've gotten any CD-Rs yet, you might try burning F-Secure's rescue CD, giving the system a wired network connection so it can get updates, booting from the F-Secure CD, and running a full scan.

If the Windows installation is bootable at all, you could also boot into Safe Mode and run GMER (http://gmer.net). GMER has its own GMER Safe Mode for extra-super-severe rootkit situations, too.

Personally, by this point, I would've backed up his stuff, nuked the drive with DBAN, and reinstalled his OS and apps while snacking on a large pizza

I booted with the F-Secure disc that you linked and let it run for 2 hours. I don't think it realized I had the wired network plugged in because the definitions were quite old. I might try that again.

The VirusTotal site is awesome though. The other files were not infected - but I sorted by last access time this time and I may have found one. There were 2 of the same .exe files but one had a .exe.a_a extension. After this I plan on looking in the prefetch folder given that, if it ran recently, it would have to be in that folder.

The reason I am going through all of this is for experience. I want to work in the Systems Security and Intelligence field when I graduate and I see this as ways to figure out how different malicious programs work.

Is there a disassembler that is free or something that I can use on the .exe files to break it down to assembly code? (That is once I find the malicious file)?

BehindEnemyLines - I actually tried something similar to that using the XP Recovery CD. I discovered 2 things. The recovery CD is absolute garbage and that it didn't work. It is possible that the instructions I followed were wrong or that I messed up - but I don't think I did. I might try and do that though - thank you!

Thanks so much for all the help - I'll post if I ever find anything!
-Kevin

Gamingphreek · Mar 3, 2009

I FOUND IT!!!!!!!!!!

Link to VirusTotal

I just don't know what to do with it now. That was the .exe - it wiped out and renamed the .exe.a_a file. I am about to scan the .exe.a_a file and the other file now.

I'll update with the results.

Update: Neither of the other files are infected. I don't know what to do with this file now. The md5 sums listed link to other file names where those viruses spawn and infect a bunch of other processes. Whats worse, it appears that this particular one can propagate over HTTP and LAN.

I don't know how to clean this on my own :-\

Underclocked · Mar 3, 2009

Can the pc be booted to safe mode? If so, have you tried the Rogue Removal kit from John's site http://www.elitekiller.com/malware.htm ?

VinDSL · Mar 3, 2009

I was just thinking...

I don't *think* this will help you this time, but in order to bump this thread, and for future reference...

I'm kind of goofy too!

My boss asked me to 'fix' his machine, a couple of years ago, and it turned out to have almost 1000 infected warez and porno files on it. It took me almost 24 hours to find them, and 3 days to get rid of them.

I surmise, someone had hacked into his machine, loaded it with warez/pron and was using his computer as a file server.

The thing is, they had branched off the download folder [like] 20 layers deep, in his Windows directory, where AV software didn't bother going (doing a normal scan).

When I did a 'deep scan' (which took almost a whole day) b-i-n-g-o there they were.

This is where the 'goofy' part comes in...

I spent the next 3 days 'disinfecting' his machine, rather than just wipe his HD and start from scratch!

So, I understand where you're coming from...

RebateMonger · Mar 3, 2009

Originally posted by: VinDSL
I spent the next 3 days 'disinfecting' his machine, rather than just wipe his HD and start from scratch!

Most every time I "disinfect" a PC, I regret it. It's almost always faster to re-install from scratch. And even when you get the system "cleaned", there's no way to know 100% that everything is gone.

Of course, there's little reason to not have full system backups nowadays. There are excellent backup solutions that make it fast and simple to restore an entire system to full health. Unfortunately, not everybody has gotten the message yet.

Ken90630 · Mar 4, 2009

I know you said you wanna figure out what got in and how to clean it for "the experience," but really, you should take the advice of mechBgon and the others who've recommended backing the files up, using DBAN to nuke the HD, and doing a fresh Windows installation.

And not to discourage your professional aspirations in the computer security field

, but I don't think you quite have a handle on what's involved here. If this is a really complicated piece of malware, like a rootkit and God-knows-what-else bundled with it, you're not likely to figure it all out anyway. With certain kinds of malware, there can literally be > a thousand infected/altered system files and who-knows-how-many permanent registry changes (including hooks), an infected boot sector on the HD, an infected and unrepairable System Restore folder, etc. And rootkit revealing scanners can work in some instances (but certainly not all), but they're complicated and not likely to find and repair everything 100% the way it was before the infection. Do you really wanna spend dozens (if not hundreds) of hours going thru the Windows registry, item by item, fixing every altered entry (if you even can)? (Answer: No, you don't. :laugh: ) If anything is left behind, and it almost certainly will be with the kind of infection you're describing, you're gonna need to reformat and reinstall Windows anyway.

And I know of no anti-virus or anti-spyware app that will CLEAN every trace of a complex infection. You might get a list of a gazillion infected files, but after the repair process you'll likely end up with a list of files that "couldn't be repaired/cleaned." At that point, you need to jump on the Reformat Train anyway. I, too, am sometimes interested in the how and why of how some malware does what it does, but in the end, the solution is the same: Nowadys, most sophisticated malware infections warrant a reformat and fresh Windows installation.

Just my $.02. Good luck.

VinDSL · Mar 4, 2009

Originally posted by: RebateMonger
Of course, there's little reason to not have full system backups nowadays. There are excellent backup solutions that make it fast and simple to restore an entire system to full health. Unfortunately, not everybody has gotten the message yet.

Agreed!

I got a Thermaltake BlacX ST0005U (highly recommended):

http://www.newegg.com/Product/...x?Item=N82E16817153071

Best thing invented since water!!!

Friends computer infected with Virus

Lifer

No Lifer

Super Moderator<br>Elite Member

Lifer

No Lifer

Lifer

No Lifer

Lifer

Diamond Member

Lifer

No Lifer

Lifer

No Lifer

Lifer

No Lifer

Super Moderator<br>Elite Member

Golden Member

Senior member

Lifer

Lifer

Platinum Member

Diamond Member

Elite Member

Golden Member

Diamond Member