Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security Platinum possible new varient


  • Please log in to reply
2 replies to this topic

#1 bedlin88

bedlin88

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland, USA
  • Local time:06:34 PM

Posted 02 August 2012 - 07:44 AM

I had a user who got herself infected with this bit of nastiness and wanted to share my experience with removing it and some of the behavior I ran across that were not in the removal guide.

OS - Windows 7 Enterprise 64 bit

So it was late in the day on July 31st when she came to me. It's beginning behavior was exactly what I would have expect it had taken over the .exe files so you could not run any executables on the system. So I took in her PC pulled the drive and started a Malwarebytes scan before leaving for the day.

The next day when I arrived and checked Malwarebytes It had only found 1 item which I removed. Now here is where it starts to go a bit off the track. When I booted her system back up with the returned drive and logged in I got the message that windows was not genuine and that I had to activate it online. This I could not do because I had no internet connection, could not display device manager, and had no listing for network adapters. So I ran the things I do to repair the OS chkdsk /r, sfc /scannow, ect. to no avail. So I was getting ready to do an In place upgrade repair, when it failed saying it could not get the disk information, some research there led me to the fact that the virtual disk service was not running which led me to discover the the plug and play service had been deleted. Unbeknownst to me multiple services had been deleted or set to be deleted on that initial shut down. By comparing the services on that system with another Win 7 system I was able to export and import the registry entries back onto the infected system which brought it back to life, none of the files associated with the services had been removed. Then I was able to get rid of any residuals left behind. Here is a list of the services that were deleted.

Plug and Play
ADF
Base Filtering Engine
Network Connections
NSI
NSIProxy
TDX
Active-X Installer
Application Information
Internet Connection Sharing
IP Helper
Network List Service
Peer Name Resolution Protocol
PnP-X IP Bus Enumerator
QualityWindows Audio Video Experience
Remote Desktop Configuration
Secondary Logon
Security Center
SPP Notification Service
Superfetch
System Event Notification Service
UPnP Device Host
Windows Color System
Windows Connect Now Config Registrar
Windows Defender
Windows Firewall
Windows Font Cashe Service
Windows Update
WinHTTP Web Proxy Auto Discovery Service
WWAN AutoConfig

Hopefully this will help someone else should they run into the same issues. And I hope this was the correct place for this post.

Thanks

Edited by bedlin88, 02 August 2012 - 07:51 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:34 AM

Posted 02 August 2012 - 04:29 PM

When I booted her system back up with the returned drive and logged in I got the message that windows was not genuine and that I had to activate it online.
This I could not do because I had no internet connection,

Hello bedlin88 -
The "Activation" can usually be done by telephone, if you wish to -

Thank You -
Edited by noknojon -

Edited by noknojon, 02 August 2012 - 08:37 PM.


#3 bedlin88

bedlin88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland, USA
  • Local time:06:34 PM

Posted 02 August 2012 - 05:26 PM

Thanks Noknojon but once I fixed the plug and play service Windows was able to validate that it was genuine. Apparently the process the checks that relies on the plug and play service, so I learned something new which made it a good day.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users