Posted 30 November 2011 - 05:20 PM
I know I'm infected. I fought it for days (finding this forum too late, unfortunately), and I don't know if I've lost, yet. I don't know if this is the right forum for this, but I can't provide diagnostic logs, right now, and I'd appreciate advice. In Search and Rescue, we talk about rescue while there is still hope, and recovery when rescue is no longer likely. I'm somewhere between rescue and recovery of my laptop.
I've got a Dell Inspiron 1720, CoreDuo T7200, 4gb RAM, running Vista Ultimate 32-bit SP2 and McAfee IS, and a Dell XPS 410 running Vistal Home Premium SP2. I'm sharing the desktop, at the moment.
A gory story for your dark humor.
Thursday evening 11/24, I was working on my laptop when suddenly Cloud AV 2012 popped up on my screen and I started getting bombarded. McAfee, of course, said everything was beautiful. Before I realized my browser was being redirected, I found a 'Cloud AV 2012 removal tool' on what turned out to be an excellent spoof of the Trend Micro site. While this appeared to kill the Cloud AV 2012 process, it also introduced its own trojan(s). Then, I discovered Malwarebytes, and that found several issues and cleaned them up. Cloud AV 2012 appeared to be gone.
I still had the browser redirects (MSIE, FF), and I discovered that I had Ping.exe running constantly, and taking a huge amount of resources if I was connected to the internet. I researched the issue on 11/25, and got in touch with a local tech friend who provides first tier support as a job, and removing viruses being one of those tasks. He got back to me on 11/26 and told me I needed to use TDSSKiller for the redirects, and that ComboFix was the only thing recognizing the ping problem. I found this site, too late.
TDSSKiller found Rootkit.Win32.ZAccess.k and seemed to cure it, upon reboot. No, redirects. I ran ComboFix, and THEN read in here all the cautions against running it without specific advice, etc. Anyway, I didn't touch it and let it run, and it seemed to be stuck in the initial scanning phase. Never got as far as completing Phase 1. At some point, a Windows advisory popped up on the screen advising me that a freeware installation of XCACLS (uh oh, he says in retrospect) had stopped functioning and had been closed. I got on chat, here, and Lurch allowed as how ComboFix running for 12 hours was unusual and that I should stop it and open a Malware log thread and proceed from there. I would have done it, anyway. So, I did. That's when I learned that, while I thought ComboFix was running, something else had been, too. What appeared to be a system window popped up telling me that the Recycle Bin was corrupt. I acknowledged it. Then, I discovered that the McAfee icon in the system tray wasn't responding to me, and that my permissions to files and folders had been revoked or severely limited. I no longer had write permissions, and access to some applications was gone. I also discovered that all system recovery points had been deleted, except for one just prior to the point that XCACLS stopped. So, I can't run anything as Admin. I can't write logs. I can't save or print files. I can't disable McAfee. Bogus security warnings are coming up telling me that there are security violations by any web-based AV tools, like ESET, or utilities like MBAM, TDSSKiller, etc. I can't run GMER or OTL.
So. What I do have is complete backups on an external drive. Unfortunately, the custom recovery disk was thrown into a box while I was out of town on an extended contract, and put into storage, and no one knows where it is. Fortunately, I have learned that the Norton Ghost recovery disk will read my backup files (obsolete Norton Save and Restore), and doesn't require a customized recovery disk to run. So, there may be hope, yet, that I can recover and clean things up with a restore. In light of what happened with McAfee, and subsequent research on AV performance, I've switched the disktop over to Norton 360 v5 with its 2-way firewall, and upgraded from the obsolete Backup software to Norton Ghost.
I need to know if there are still ways for me to run software against my laptop to try to clean it, since my access has been screwed with, and a rootkit (or something) is still active on the machine. I'm wondering what precautions I should consider taking before connecting my external drives to the machine (USB vaccine?, scanning the external drive from the desktop, first?, what tools to use from the desktop to protect the desktop and have the best chance of cleaning the external drives?). I'm wondering if booting from a known safe recovery disk is sufficient to stop whatever is on the laptop at this point, long enough to overwrite the disk with a backup from before all this happened, or if I will then have a recovered machine that is still infected? It appears I may also be able to create a Norton Bootable Recovery Disk to reboot safely and try to clean things up with Norton AV and maybe Norton Power Eraser I don't know, yet. It would be custom to the desktop which is running Vista Home, but I think it uses generic Microsoft drivers.
Anyway, that's my tale. I'll appreciate your suggestions.