Page 1 of 3 123 LastLast
Results 1 to 15 of 42

Thread: Bad Infection

  1. #1
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    I have a client's computer that is FUBAR !!!! I've never run into one that stumped me like this one has. I spent a few hours at his store today and thought it was a System Guard 2009 infection. But the computer would not allow me access. The only way in was Safe Mode and once in AVG was crippled and the system would not clear the infection.

    I then tried what I thought was a utility to remove it and ended up installing Spyware Doctor. Useless program !!! It comes without any virus data and must be updated to run. Not an easy task in Safe Mode !!! I ran the System Guard 2009 removal tool without success and ended up removing it via the uninstall option in the program. Still no joy. Ended up bringing the box home, pulled the drive and slaved it to my system and ran Avast! Removed 20 odd trojans and BS .dll's with Avast and also ran Malwarebytes and removed another 19 items. Installed Spyware Doctor on my system and found that there was no option to scan anything but the computer it is installed on and not any of the USB connected or slaved drives. USELESS !!!!! Then fouund Spyware Doctor a PITA to remove from my system. Finally got things back to normal on my system and searched for the processes associated with System Guard. None found. Running Avast again found 3 more problems in the System Restore files and removed them.

    Now I'm stuck. I reinstalled the drive in it's box and tried to start it, but the result was the same. It's set to boot to the desktop, but flashes the Welcome screen and then his wallpaper and then back to the welcome screen after a few long moments and then presents him with his profile name to click. Clicking that brings a quick log-in and then it logs out without getting past the Welcome screen.

    My plan is to reinstall the drive and start in Safe Mode and maybe do a System Restore back to the middle of March, before he noticed problems, but am reluctant because of all the trojans and other infections I removed and not knowing when they got onboard. Otherwise, I suppose that the best course might be to try and manually remove any registry entries and other files related to this nasty. But I can't be sure what the real problem is and that is the main roadblock to getting the system clean.

    Any and all thoughts gratefully considered. Thanks !!! And, pardon the rant. It's been a long day.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    [quote name='DocWatson' post='770738' date='15-Apr-2009 20:23']My plan is to reinstall the drive and start in Safe Mode and maybe do a System Restore back to the middle of March, before he noticed problems, but am reluctant because of all the trojans and other infections I removed and not knowing when they got onboard.[/quote]
    AV software often can strip out infected files stored in the system restore folder. You could at least try scanning them.

  3. #3
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,413
    Thanks
    33
    Thanked 195 Times in 175 Posts
    [quote name='DocWatson' post='770738' date='16-Apr-2009 04:23'][/quote]
    Certainly worth downloading, and installing Malwarebytes' AntiMalware; first do this in Safe Mode, and make sure you Update the definitions before doing a Full/Complete Scan. Then do the Scan again in 'normal' Windows.

    This has worked for me with infected machines, the worst being VUndo/Virtumonde.

    As with all full-partition file scans, it will take ages...
    BATcher

    Time prevents everything happening all at once...

  4. #4
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,571
    Thanks
    5
    Thanked 1,056 Times in 925 Posts
    [quote name='DocWatson' post='770738' date='15-Apr-2009 22:23']My plan is to reinstall the drive and start in Safe Mode and maybe do a System Restore back to the middle of March, before he noticed problems, but am reluctant because of all the trojans and other infections I removed and not knowing when they got onboard.[/quote]

    Have you done a rootkit scan?

    Since it boots OK is safe mode but not normal mode it could be a driver issue. You could try uninstalling or updating the video driver.

    Joe
    Joe

  5. #5
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='jscher2000' post='770748' date='16-Apr-2009 00:40']AV software often can strip out infected files stored in the system restore folder. You could at least try scanning them.[/quote]

    The SR files were scanned with Avast when I had the drive slaved to my machine and most of the infections were found there. Of course they were copies of the infections that were on the system, stored in each restore point since the problem began.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  6. #6
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='BATcher' post='770753' date='16-Apr-2009 01:08']Certainly worth downloading, and installing Malwarebytes' AntiMalware; first do this in Safe Mode, and make sure you Update the definitions before doing a Full/Complete Scan. Then do the Scan again in 'normal' Windows.

    This has worked for me with infected machines, the worst being VUndo/Virtumonde.

    As with all full-partition file scans, it will take ages...[/quote]

    Ran a Malwarebytes scan while it was slaved to my machine. Found and removed 19 infections or traces.

    AFAIK, you can't connect to the internet in Safe Mode to update the definitions. I installed Spyware Doctor in Safe Mode at the client's store and tried to update it, but couldn't connect. My scans at home turned up 3 instances of the Vunudo Trojan along with about 15 others and System Guard 2009, which was installed. I tried Spyware Doctor on my machine with his drive slaved, but it doesn't offer any option to scan any drive but C and doesn't remove anything unless you buy it. No better than the spyware itself, IMHO. Couldn't wait to remove it from my system.

    Yes, I spent 4 hours last night scanning and removing junk, to no avail.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  7. #7
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='joeperez' post='770790' date='16-Apr-2009 09:23']Have you done a rootkit scan?

    Since it boots OK is safe mode but not normal mode it could be a driver issue. You could try uninstalling or updating the video driver.

    Joe[/quote]

    I'm planning on checking it for rootkits when I re-boot the system today in Safe Mode and scan it then. The AVG & Systernals Rootkit tools I have will only scan the C drive.

    Am I mis-informed, or not getting something about connecting to the internet in Safe Mode ??? I can't update the drivers if I can't get on the internet can I ??
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  8. #8
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='DocWatson' post='770807' date='16-Apr-2009 10:01']AFAIK, you can't connect to the internet in Safe Mode ...[/quote]
    I've never done it, Doc, but isn't it possible to boot into "Safe Mode With Networking?"

  9. #9
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='Bigaldoc' post='770810' date='16-Apr-2009 10:04']I've never done it, Doc, but isn't it possible to boot into "Safe Mode With Networking?"[/quote]

    Would that allow me to connect to the internet ?? I thought that was only for LANs.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  10. #10
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,571
    Thanks
    5
    Thanked 1,056 Times in 925 Posts
    [quote name='DocWatson' post='770811' date='16-Apr-2009 09:07']Would that allow me to connect to the internet ?? I thought that was only for LANs.[/quote]

    "Safe mode with networking" should allow internet access. See Safe Mode - Choose a Windows XP Safe Mode Option.

    Joe
    Joe

  11. #11
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,413
    Thanks
    33
    Thanked 195 Times in 175 Posts
    [quote name='joeperez' post='770816' date='16-Apr-2009 15:26'][/quote]
    "Safe mode with networking" does allow internet access!
    BATcher

    Time prevents everything happening all at once...

  12. #12
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='DocWatson' post='770811' date='16-Apr-2009 10:07']Would that allow me to connect to the internet ??[/quote]
    This is kinda funny. The reason I wasn't here to answer your question (but thankfully Joe did) is that I was rebooting to make sure I could see the web through MY router. I guess I wasn't hitting F8 fast enough because the Vista Boot Pro screen kept coming up and it would allow safe mode w/networking for Vista and Win7 but NOT XP. I'll have to exercise my "trigger finger" and try again later.

    But, good luck to YOU!

  13. #13
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='joeperez' post='770816' date='16-Apr-2009 10:26']"Safe mode with networking" should allow internet access. See Safe Mode - Choose a Windows XP Safe Mode Option.

    Joe[/quote]

    Thanks for that Joe. It seems I was mistaken. This will have to wait until I get back to his store as I use Comcast as my ISP and he uses Verizon DSL.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  14. #14
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='BATcher' post='770825' date='16-Apr-2009 10:41']"Safe mode with networking" does allow internet access![/quote]
    Thanks John.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  15. #15
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    Game Over !!!

    Just tried booting to Safe Mode and now it's exibiting the same behavior in Safe Mode. Won't log into his profile or Administrator. Now it doesn't even flash his wallpaper, but just cycles from starting to saving settings and then logging off.

    So.... I'm off to my local computer wizard to have these demons excised. Wish me luck !!!
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •