Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The New Virus That Wont Go Away


  • Please log in to reply
7 replies to this topic

#1 rhysj

rhysj

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 18 March 2008 - 09:13 PM

Hi everyone. I'm a tech, and I have a virus at work that apparently wont go away. This is my first post, and I've been reading these forums for a couple days now.

the virus would use windows notifiers, a clone of windows defender, and other things to tell you your computer is going bad. also, it used a blue screen active desktop. it disabled task manager, and I think norton.

i disengaged the drive and used kaspersky rootkit scan and thought i got it then 3 days later, it was back. I don't know if it came back or if the user reinfected, but I tend to think reinfected. The second time, I kasperky didn't see it. I uninstalled Norton from the machine, installed NOD32 and then scanned the drive while hooked into another computer again.

nothing showed up in kasperky or NOD32 but it did 3 days prior. This time I used smitfruadfix and had to change the name of the exe. I THINK the virus is gone, all signs of it are... but now the network connection always says "weak signal" with a CAT-5 and it wont renew the ip. the loss of network happened before i removed the virus.

i have the logs at work from smitfruadFix and i'm not qualified to use hijackthis but I have those logs too. honestly, I don't have a clue right now why the ip wont renew.

one thing i forgot, there's a d:\ partition and the smitfraudfix gets hung up at 'calculating disk space'

Edit: Moved topic to the more appropriate forum. ~ Animal

Edited by rhysj, 19 March 2008 - 12:26 PM.


BC AdBot (Login to Remove)

 


#2 rhysj

rhysj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 19 March 2008 - 10:05 AM

Hi everyone. I posted yesterday, but the situation is a little diferent. I have a smitfraud which was very hard to remove. I used smitfraud fix, but it hangs up trying to 'calculate' the d:\ partition. However, the notifiers and popus and active desktop are gone, but task manager and networking is still disabled. I'm about to do a Kaspersky rootkit scan, and it's worked before on this virus, but I swear the virus morphed in the last few days because it wasn't this hard to disinfect before. Last week, a rootkit scan removed all signs of the virus. There were no symptoms. Over the weekend, it was reinfected, I THINK. It may have just went underground for a couple days?

The computer was protected by spybot and norton (bosses home computer). When I scan, I used a bootdisk for Kaspersky and I have a IDE/USB converter and used that to disengage the drive and run NOD32, and even that isn't finding it. I uninstalled norton and tea timer and put on NOD32 to this comp.

When I used smitfraud fix, I had to change the name of the exe because the virus wouldn't let it run.

Like I said, smitfraudfix 'removed' the virus from the c:\ partition, hung up at the d:\ partition (backup files are on it).

Now my question I think is, is the virus gone and damaged windows system files or not gone.

summary:
kasperky rootkit scan, spybot, norton, nod32 failed.
smitfraudfix worked on C:\ failed on d:\
all popups and notifiers are gone. Task manager and network still inactive.
sometimes the computer gets stuck 'on' or wont boot from the hd. other times, i get steady repeating mobo beeps. don't know if it's related but I think cause a few other peple in these forums have power issues who also have this virus.


Thanks.

Edited by rhysj, 19 March 2008 - 12:07 PM.


#3 rhysj

rhysj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 19 March 2008 - 12:04 PM

wow, it's worse now. Please help. I'm so lost. I posted about how I was about to use Kaspersky bootdisk. I did, and it froze 25% through the scan. I let it sit an hour. I rebooted without the bootdisk in, and get bios beeps. repeating forever, which means death. Actualy, it means memory or video error. I put in the bootdisk, tried again and it booted to windows, not the disk. so so strange. this is the worst virus i've ever seen. I even got rid of 'monkey b' from a high school with bad habbit users in the 90s without this much effort.

Should I post the HJT log?

I'm going to nuke the drive, but the user never backed up his system and doesn't want to lose stuff. I'm scared that even if I nuke, the virus will still be there. If not still there, I'm scared it will just be back when the user does whatever he does. I feel like the hardware is getting attacked and will need to be replaced. I THINK NOD32 will stop it from reinfecting.

If someone could just point me in the right direction. I feel like I'm up against the Darth Vader of viruses, and I'm good but I'm no jedi. lol


Mod Edit:Topics merged for continuity ~TMacK

Edited by TMacK, 19 March 2008 - 12:22 PM.


#4 rhysj

rhysj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 19 March 2008 - 05:43 PM

update:

the kaspersky rootkit scan removed 4 web.enhancer entries, but that had no effect, and i think having it was just a symptom of the hiding virus. i think maybe even the smitfraud is just a symptom of the hiding virus.

#5 rhysj

rhysj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 19 March 2008 - 09:16 PM

after the rootkits were eliminated, SUPERAntiSpyware found all the 180Solutions, Zango, WebHancer things but here's the interesting part:

now it found a Transponder Variant BHO and and Unclassified.Unknown Origin which I hadn't seen before.

#6 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:03:00 AM

Posted 19 March 2008 - 10:00 PM

Hello, I am Master5270, I will be trying to help with your problem.

You have tried my first suggestions I would of made, so now it so bad, we have to skip to the part where I send you to the HiJackThis Team.

First, use the Preparation Guide before posting a HJT log, follow all the instructions.


Secondly, Post a HJT log in this Forum, the HJT team is busy, so it will take up to 5 days for a response.

If you haven't had reply in 5 days, post your topic URL in this topic.





#7 rhysj

rhysj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 20 March 2008 - 01:20 AM

thank you.

#8 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:03:00 AM

Posted 22 March 2008 - 03:36 PM

I hope your infection gets cleaned up soon! ~ Master.

Edited by Master5270, 22 March 2008 - 03:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users