I want to track down these malware authors, cut off their thumbs and big toes, and then drive a tent peg through their temples into the ground. Sorry, I have been reading Judges lately, as it were.
The system I am working on seemed to be coming along. It was getting a floppy seek error, and then wouldn't boot once F1 was pressed to continue.
I looked in BIOS, and noticed the date and time was off. I had a spare CMOS battery, so I threw that in there, and was able to correct those problems, but it still would not boot.
I tried going into safemode, but it stalled while loading drivers. I ran a repair off of the Windows CD, but then it stalled at the XP splash screen, where it says 'Please wait'. I did wait... for over an hour. Nothing. So I shut it down, booted off of the XP cd again, ran chkdsk /r, and waited some more. It would get to 75%, then jump back to 50%. It did that several times, but finally finished.
After it finished, I was able to boot into Windows. I got several errors about weatherbug and what not while Windows loaded. I removed weatherbug, and several toolbars, and then ran MalwareBytes. Three hundred and seven infected objects. I removed those, rebooted, then ran a full scan. Three infected objects. Removed, rebooted.
Then I tried to do a Windows update. IE wouldn't open from the Update icon or the actual program file. I ran combo fix. Rootkit activity detected. Rebooted, combofix finished, and removed some objects.
Ran Malwarebytes, clean.
Ran Spybot S&D, 5 objects found. Removed. Rebooted.
IE still wouldn't open. Copied the firefox exe over from another system, downloaded IE8, installed. It finally opened. Pages worked fine, except for... you guessed it, Windows Update.
Ran hijack this, removed a few objects that didn't check out. Rebooted. Nothing.
Downloaded a kaspersky live cd, ran that, clean.
Booted back into Windows. Reset tcp/ip and winsock. Checked the host file... clean. Rebooted.
Still no update. I am running the sophos anti rootkit program now, will see what it turns up.
I have also downloaded the Panda safe-cd. I have not ran it yet.
I am to the point where I am going to recommend reformatting, but I don't think the client is going to be happy with that option.
I am about to pull my hair out. Stupid infections.
guess they didn't have an anti-virrii or firewall and just installed anything that popped up on the screen.
The difficulties getting the poor thing to boot sound typically of a rooted box. :mad:
At the end of the day really it would be better to format, and clean re-install as you can run cleaner after cleaner to un-infect the machine but you will never know if there's something still lurking on the system.
If there narked about loosing the data explain to them in "Technical" terms that there was no option but to format and do a clean re-install of Windows.
valuable lesson learned, harsh but they will most likely either clean there act up and take more precaution or they will loose there personal data again & again until they learn to run updates and not use an "administrative" user-level account. :drink:
They had AVG, but I am sure it was outdated. I didn't have a chance to check the SP level before I repaired, and if I remember correctly, running a repair will revert back to the service pack of the installation media, correct? It was at SP2 after the repair, but I couldn't connect to MS Update to do anything about it.
I think they do click on anything and everything that pops up. They had a rogue registry mechanic installed, koobface, several trojan droppers, fast web search bar, my web search bar, etc.
I called them today, and told them that I had it up and running, but that I highly suggested reformatting/reinstalling, and that I wouldn't trust it for day to day business.
Try running Dial-A-Fix and check the Update related services. Sometimes the services will not start and will have to be re-registered. You may also have to reset the registry permissions to allow the changes to be made. I think that likely, the infection is removed but the settings are still in the state the infection changed them to or are broken.
CyberB0b - I have already returned the system with instructions for reformatting. You could very well be right about the infection being gone, and settings skewed. Though with the nature of the information that passes through the computer, I would rather not take any risks. I would hate to give them the all clear, only to find out someone is mining data off of it! :eek:
I will have to make a not of 'Dial-a-Fix', sounds like it might be a handy tool.
Many thanks for the suggestion!
As a side note about Dial-A-Fix: It was created years ago and has not been updated. You will get error messages if you are running IE8 about it not knowing the version of IE and other related errors. You can ignore these messages. Basically it will do everything but modify IE8, which is usually enough. There are also lots of extra tools in the tool button for things like resetting the registry permissions. Not sure if it works in Vista or Windows 7.