So here goes. On the day of the event I was downloading what I thought would be some tool for helping me create human interface type macros, eg, move the mouse here click there and type in blah. I did not get this from a reputable site by any stretch of the imagination. I was foolishly looking for something for free that did this for me. Upon locating what I wanted I downloaded it and started to install it. Immediately Norton IS 2010 kicked in and said 'no'. When I looked up the reason it gave it turned out to be another of those generic names Norton hands out to suspected viruses based upon it's heuristics. In other words, the file was labeled a virus because Norton had never seen it before and didn't trust the site it came from. I thought I was smarter than Norton and was tired of such labeling so I told it to ignore the file and allow me to run it.
After that I got a UAC popup from Windows asking me if I wanted to give this thing permission to run on my computer. Unfortunately this is pretty typical of installers and I rationalized my stupid decision by convincing myself that I could beat any such infection by simply following rules we've all learned for reacting to virus infections when they happen. Instantly the computer was thrust into a Blue Screen. It lacked all the typical bits of data of a blue screen as well, but said something akin to "The System has become dangerously unstable". I'm pretty sure I heard the drives spin down as well. So I did the one thing you should never do after getting a virus, I hit reboot.
Please don't beat up on me about this, I've already done plenty of it since then and I know how daft it was.
After initial reboot my system got as far as the main login screen before I regained my wits. I did not login but instead forced another reboot to safe mode. Within there I attempted to do a system scan with Norton, which at that time did not find any infections at all. I believe I then attempted to run a MalwareBytes scan which errored out before completing. I then restarted into Safe Mode one last time and ran one more Virus Scan in hopes of turning up something to no avail. I then rebooted the system hoping for the best. Upon logging in I recieved a Stop Error.
I cannot be precise on the first stop error because I only recieved this particular one once. It was most likely IRQL_NOT_LESS_OR_EQUAL or DRIVER_IRQL_NOT_LESS_OR_EQUAL. What I can say for sure is I researched the error that day and all relevant articles stated a service driver or process was attempting to gain higher permissions than it should have. What I understood this to mean is it was trying to jump itself to a higher security level (access level) than either the process which called it and or the kernell itself. (If what I just described does not jive with the errors listed then please go by the description, and my apologies. I can recall what I read about the error but cannot find my notes on the exact error code.)
As I mentioned that was the first and last time I saw that error code. After that I restarted in safe mode once more and did a system restore to three days prior to the incident. I believe I attempted one last virus scan at this point. All virus scans at this time resulted in nothing. No detections. From this point forward all subsequent reboots resulted in an SYSTEM_SERVICE_EXCEPTION error code.
0x0000003B (0x00000000C0000005, 0xFFFFF800030D880C, 0xFFFFF8800A273D80, 00000000000000000)That should be character for character the exact code.
At this point everything stops working. When I tried to load up Safe Mode I got that Stop Error, when it restarted windows didn't even get to logon before giving that error. Rinse and repeat, the system was a big blue brick. After this the only way to get any information off the computer was through boot disks. I tried the Win 7 Recovery tool and told it to attempt to diagnose and fix OS errors. Each time it returned an "Error Unknown" response.
Signature 4 = 21200944 Signature 5 = AutoFailover Signature 6 = 4 Signature 7 = 0xA LocaleID = 1033Incase any of that is relevant.
Finally I took to the internet and forums. By this point all my research has confirmed my worst fear, that I have a boot sector virus, however virus scanners did not confirm this. I used a Norton Bootable Recovery Disk to do a scan one last time before packing it in for Christmas. It turned up nothing. As of yesterday I burned a new recovery disk with current virus defs and sure enough it finds something right away: Tronjan.Gen & Boot.Tidserv.B. Norton was unable to fix the latter but (supposedly) removed Trojan.Gen successfully. After this I read on the forums what kind of steps are preferred one takes prior to posting along with posting guidelines. I read about the AVG boot disk, downloaded it, ran it. AVG apparently looks at the partitions themselves but not the boot sector nor unpartitioned space, which Tidserve is notorious for using as I understand it. AVG did not turn up any boot virus nor Tidserv in it's scans however it found nine others where Norton did not.
Under /mnt/sda2/Users/MajBoothroyd/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/ the following was identified. /22/76b61fd6-632d83a9_1297128311.arl:/vmain.class Trojan horse Exploit_c.KNA /22/76b61fd6-632d83a9_1297128311.arl Trojan horse Exploit_c.KNA /48/472eb3f0-3a760436_1297128311.arl:/vmain.class Trojan horse Exploit_c.KNA /53/66f20c75-7d6c6516_1297128311.arl::/vmain.class Trojan horse Exploit_c.KNA /48/472eb3f0-3a760436_1297128311.arl Trojan horse Exploit_c.KNA /53/66f20c75-7d6c6516_1297128311.arl Trojan horse Exploit_c.KNA - - - - - - - - - - - - - - - - - It also found /mnt/sda2/Users/MajBoothroyd/Downloads/Games/Chaoslauncher_zip_1297128311.arl:/APMAlert.bwl Trojan horse Downloader.Generic10.BVKI /mnt/sda2/Users/MajBoothroyd/Downloads/Games/Chaoslauncher_zip_1297128311.arl Trojan horse Downloader.Generic10.BVKIt should be noted that ChaosLauncher is an extremely old, nay antiquated, application built years ago to force the original StarCraft game into a window. This was in part due to the lack of support for windowed mode with that old game but also to remedy major color corruption and screen resolution errors when running this game on current systems. For example the game doesn't know how to handle widescreen aspect ratios. ChaosLauncher has been known to turn up false positives, some AV's have cleared it. I had successfully and safely used this program since summer of 2010 for nostalgia purposes. In other words, it is my belief that this particular file can be ignored for this issue.
It should be noted that the files AVG found were renamed based upon advice in what I read. Also I noticed there were two I dunno mounts or partitions? That AVG was listing. I realize AVG runs on Linux, of which I have limited experience with, but what was peculiar to me is upon scanning both it appeared to be the same files and same drive. Should I be concerned?
So here's my question:
#1. Is it possible to return this computer to full functionality without significant loss of data?
#2. If it's not possible, is there risk in connecting the drive as a secondary (non-boot) drive to another system for file retrieval? (Yes the other system will have fully updated protections as well.)
#3. Assuming a fix is not possible, how does one go about returning the infected drive to a usable condition again? I recall years ago the use of something like format c: /u in order to destroy boot sector corruptions caused by Win98. I also recall specifically unpartitioning everything, formatting, then repartitioning and reformatting as a method of "cleaning" drives. Does any of this work?
Help me Obi-Wan, you're my only hope. :-\
Edited by MajBoothroyd, 08 February 2011 - 11:28 AM.