TechSpot

Very bad system

By plasma dragon00
Apr 4, 2009
  1. hey guys, sorry to pull this on on you, but im working on a pc for my friend of mine, and it is infected beyond belief. so many randomly named entries in startup (disabled all, now i can get on system) cant download ANYTHING though so i had to burn a cd from my good comp.

    she had no AV, firewall, or anti malware/spyware installed...

    safe mode wont see my disk (its rewriteable, maybe i should try normal) and normal mode is having a hard time copying/running from it... dare i risk plugging the flash drive i put into her pc back into mine... i think im gonna risk it. i have enough programs that should catch any nasties coming through

    wait, here goes a copy from the cd!

    anyway, while this attempts to copy, if i cant run it off of the cd, what shall i do? im going to run a combofix also, i cant see a harm in doing so (i wont be running any scripts for it yet anyway)... but if someone has anything against that, speak now lol.

    no logs here yet, but if anyone has any ideas on what to do to start, please let me know.

    btw, i also manually found and deleted command.exe. heard it was a virus. siting in my recycle bin right now.

    edit - copied programs to my flash drive, no problem. so many things, as shown by an avast sca, are infected by Win32:Vitro virus. also Win32:Trojan-gen {Other}. boot time scans ftw.

    edit - also Win32: Driller
     
  2. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    ya know what, nevermind on the help. the computer is FUBAR. an avast! boot time scan found 1501 infected files, many belonging to windows critical files. upon boot (in reg and safe mode) it logs the user on, shows desktop wallpaper, and promptly logs you off. i gotta hook it up to my pc, remove my hard drives, and copy it all to a drive or burn it to a disk using linux (her pictures and music, forgot to say that) actually, given the burners work, i can do it from her computer i guess. once i can get the logfile, ill post it here for the lulz.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow the steps in the Virus and Malware Removal HERE:

    When you have finished, please attack the three logs on your reply.

    Please do NOT run any other programs, including ComboFix unless your helper instructs you to do so.
     
  4. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    theres the virus log, whoever feels like taking a look at it, go ahead. if not, thats fine, im formatting the system and reinstalling windows

    DBAN DoD 5220.22-M 7 passes, 2 rounds. i want to make sure everything here is dead lol.

    feel free to close this
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, you get the prize for the most infected files I've ever seen! A distinction you surely don't want!

    Probable causes:
    Win32:Driller
    Win32:Vitro:
    1. A new *hardcore* file infector from the authors of Virut..
    The Virut family of viruses uses polymorphism to hide from all anti-virus protection, it infects executable files. File infection makes it very hard to repair a system that has been infected. W32/Vitro injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.

    So virut will attach to an important system file that is used for a plethora of things, and so creates room for the virus as it pleases so-to-say, because almost every program makes use of these system-APIs. Also the virus scanner itself is not immune from it....
    Scanning from another computer is not a very bright thing to do either in case of a file-injector involved seen to re-infection, the only sensible thing to do in such a case is using a PE CD.
    The virus only injects when it is active, but an autorun is also enough to infect.
    Best policy is preventing infection by running fully updated and patched Windows and third party software, and to use in browser security like Firefox with NoScript installed. Malcreants at the moment will use every weakness in IE browsers known for spreading their drive-by-malware-infectors.....and one ounce of prevention is worth 10 kg of cleansing after the fact....
     
  6. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    lol at "prize for most infected files ive ever seen". i was quite amazed as well, and thats JUST the avast log. it also found about 20 things during the initial memory scan, bit defender online found 33 (couldnt run trend micro house call), spybot SD found 498 items (combination of malware, spyware, adware, PUPS, and trojans) and who KNOWS what else was there.

    so yeah, im considering this done, im just nuking the hard drive with dban. one thing, just out of curiosity, is when you put the quote of Win32: Driller, it keeps saying "PE EXE files" what does the PE in that mean?

    and, the award isnt linked to me directly... im just the guy who fixes it lol =P

    well thanks for the help, as well as the definition on some of these viruses bobbye ^_^

    EDIT! - one last big thing, i hooked a 512 flash drive to her pc to try to install antiviruses to it, and then i hooked it back into mine to copy more things to it. i scanned it when i plugged it into mine first, avira (though im now using avast free) found 3 viruses, one in the mbam installer, spybot installer, and the avira installer. i thought they were false positives, the thing said it was exhibiting behaviors of malware (i think). what is the risk that a virus copied off of her pc to mine through the flash drive? i also plugged it in on windows 7 to install dban to it, avira scan found nothing. i run the windows 7 drive in the same case as my xp drive, hooked up at the same time. if, say, 7 got infected, would/could it copy to my xp drive? an avast boot time scan (running from xp, scanned both drives) showed completely clean. i have no problem formatting my 7 drive, would prefer not to format my xp drive if i dont have to, but its getting RMA'ed to seagate soon anyway.

    then, what about the viruses copying to my data driv (separate 1tb drives, also hooked up at same time)? is it safe to play WoW? OH the inhumanity, the confusion, the question.

    if you could assist me with my paranoia on the mentioned topics, i would be very appreciative.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  8. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    bobbye, i feel like im asking a lot, but would you mind helping me make sure my computer is clean by me following the removal steps?
     
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    What re-partitioning (basically formatting) and starting a fresh install?

    Well that's pretty easy, did you need a guide for that?


    Microsoft's Windows XP Professional Repair Install step by step (* Including Delete Partition)
    http://www.windowsxpprofessional.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

    Microsoft's Windows XP Home Repair Install step by step (* Including Delete Partition)
    http://www.windowsxphome.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

    Vista Repair:
    http://www.windowsreinstall.com/winvista/index.htm (index page)
    http://vistahomepremium.windowsreinstall.com/repairstartup/repairstartup.htm (guide)

    * Warning deleting the Partition will remove all User data and Windows system files
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The steps for Virus and Malware Removal are HERE

    Follow the steps- they are well set out. Then attach the 3 logs and I'll review them. I can't do much until I see what's on the system. Be SURE to check the lines in Malwarebytes and SuperAntispyware to remove what is found. Don't attempt to remove anything in HijackThis. Most of the entries are legit- I'll tell you which need to go.

    If the amont of the infection is anything as bas as in Post #4, I doubt we'll be able to clean it.

    This thread is for the use of plasma dragon00 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.


    EDIT: kimsland, we were posting at the same time! Your's wasn't there when I started.
     
  11. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    here they are, thanks for the help
     
  12. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    was playing WoW, and it randomly exited, no error message or crash report, nothing.

    may have to do with my new mouse, just a coincidence, but, ya never know. any ideas?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We'll be stopping here.TechSpot does not help users with pirated software:

    C:\PROGRAM FILES\STARDOCK\OBJECTDOCK\KEYGEN.EXE
    C:\RECYCLER\S-1-5-21-1085031214-1078081533-839522115-1004\DC1\STARDOCK OBJECTDOCK PLUS V1.90.535U\FIXED PATCH\KEYGEN.EXE

     
  14. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    those actually belong to my sibling who uses my computer when i dont, would you consider helping me if i uninstalled the program?
     
  15. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    If you would
    1. create a new login for each user
    2. make them all Limit Accounts with passwords
    3. you would have avoided 90% of this corruption
    NEVER go online with the Admin account!

    I'm sure you've experienced enough pain to alter your next system appropriately :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...