spectrum48k

Was asked to have a look at a computer that was 'playing up'

Turns out it has a rather nasty virus which actually stops me in a couple of ways from installing and repairing it.

Couldn't install Eset NOD32 - administrator rights had been changed! (let's me install normal application no bother)
Couldn't install MalwareBytes - refused to the run the installed. Changed the filename and got it installed, but then it wouldn't run the exe
Caused an error when I tried to install superantispyware
Checked the task manager and shut down the offending item, only to be told the PC was going to shut down in 20 secs!

Resorted to burning Kaspersky's boot CD which I'm taking along tomorrow AM.
I've also got Hiren's Boot CD for good measure.

bioforger

iTrader: (1)

Did u do the obvious n try to install your apps in safemode?

suba

turn off system restore too.

Dedrater

Zero point in trying to fix it, you could be there hours trying to modify the registry, hosts file etc massive waste of time and energy.

Instead download Unbuntu, burn to disk, then run it as a live cd, you can then access the whole (Windows) drive, just plug in a usb drive or slave another hard drive to the computer and backup any files that are needed, reinstall Windows, job done in 35 minutes.

That's how the pros do it

spectrum48k

yep, it was the only way to malwarebytes installed

spectrum48k

if only it were that simple! The machine has an engravr attached to it, with bespoke windows software. To reinstall would be a pain as the serials, calibration, commissioning are usually done by the supplier.

I know what you mean though - I might just pop out the hard drive and plug it into my laptop (I have a USB > SATA > ATA adapter. But I was hoping to get it done without having to open the damn thing up.

I've just tested the Kaspersky boot CD and it works rather nicely. It appears to boot a linux derivative, load a driver for the NIC and even update itself before doing a scan.

Dedrater

Ah right, I know little about Kaspersky so can't comment, but look into HijackThis by Trend Micro (freeware) aswell

spufus

iTrader: (2)

I've had similar experiences.

I removed the drive(s) and put them in a USB caddy. Scanned them from my system & cleaned them with Malwarebytes, Spybot & AVG.
Took 4 attempts before they were "clean".
Reinstalled the drive in the PC, installed Malwarebytes, Spybot & AVG & ran the scan again.
Malwarebytes, Spybot & AVG all found about 18 "nasties". Cleaned them up & job done.
Took a bit of time, but both systems are back at 100% of what they were.

HTH

Just to add. Neither system would allow booting in safe mode nor allow any AV software to be installed or updated.

Dedrater

The simple fix to that would of been to sort the hosts file as it had been hijacked and modified. By default, the only thing that comes with a clean Windows install is 127.0.0.1 Localhost. What many new viruses / trojans attempt to do is edit your hosts file to essentially make most recognized antivirus programs unusable/disabled/non up datable.

Most will also disable the task manager, the registry key which controls whether task manager is enabled or disabled is

Sonic'

Daft question but how does an edited hosts file affect programs from running, or your PC from booting up ?

a hosts file is only used to resolve names to ip addresses, and isnt actually needed

badcompany

stopzilla if you want to pay to remove it..it does a free scan first

STOPzilla Anti-Spyware

i had the same virus a few weeks back

Boro

iTrader: (1)

I was trying to repair a friends computer which had similar symptoms. A simple restore to previous safe state fixed it.

Miniman

iTrader: (2)

I agreed with the overall method, but it's going to take a lot longer than 35 minutes, except if you are only considering a base install from a windows CD, ie with no updates, no apps, no virus checker, etc etc. Or I suppose an image of a previously good version may be this quick.

So I think you need to think hard about this method before doing it.

GC8WRX

Its not that nasty virus that sits in the Master Boot Record, below wondows if you like, and cant be got at, the only way to kill it is a re install of windows.

WTF is bill gates thinking, i cant think of one program that needs access to the MBR, it should be inaccessible!

WRX_Dazza

i had one of these the other day on a home pc.

ended up dropping the drive aout and sticking in another with fresh xp pro.
spent about 2 hours beforehand trying everything.

also, as another PITA, the profiles "my documents" were 'empty'

that will teach them!!

[off to backup my own pc again!!!]

Dedrater

I over quoted his post.

spectrum48k

update:

So there I was plugging the affected drive into the laptop via my SATA/IDE>USB adapter, and it didn't respond! No drive letter showed up! BUGGER!

In the end I put the disk back in the PC, got a hold of the Dell WindowsXP disk and did a repair to refresh the corrupted files. Afterwards this left the pc in good enough condition to get all the latest a/v and a/spy apps to check through it and remove the reamining damage.

Anyone recommend a good SATA/IDE > USB kit ?I use the one from Maplin.

Iain Young

I've got one of these, and it's saved my bacon a few times

USB 2.0 IDE & SATA Cable Kit USBNow.co.uk

spectrum48k

Will check it out. I've always thought my maplin one was a bit flimsy. Knew it would let me down one day.

unfeasablylargegonads

iTrader: (3)

LOL you think thats bad, Latest security research shows signs of virus/malware being developed that flashes itself into EPROMs on things like graphics cards, so you could clean/change your drive all you want to no effect

Dedrater

Yeah I read about this, its the next generation of spyware/adware, which they have called ghostware.

Dedrater

Microsoft research paper which explains it, I think, its an old bookmark..

http://research.microsoft.com/pubs/70147/tr-2005-25.pdf