Virus problems - a sad story

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Don't know what infected my machine, but whatever it was removed all
program *.exe files, and some data in the profiles. But the program
folders were left in place. All AV software was deleted, and
reinstalling didn't work properly, as "policies have been changed to
prevent this operation" when I tried to extract the zips, etc.

Administrative Tasks was unavailable in the control panel - wiped clean.
So the first order of business wasis a very run-of-the mill program, but
in this instance saved the bacon.

Bah, and bah and bah again.

Fortunately, we have several machines, so I was able to download and use
AV software. After two days of cleaning and many reboots, and a Repair
of the XP system, the machine is once again clean and purring. I've
reinstalled all the essential software.

One good side effect: I've realised just how much unessential software
I'd installed, and haven't used since testing it. The renewed machine is
much leaner.

I am now "greywolf", but will still sign myself as:
Wolf Kirchmeir

Cheers.

Re: Virus problems - a sad story



Quoted text here. Click to load it

So what is the name of this mystery "virus" that deleted all your "program exe
files"
and deleted all your antivirus software ?



 

Re: Virus problems - a sad story



| So what is the name of this mystery "virus" that deleted all your "program exe
files"
| and deleted all your antivirus software ?

Yes, I'd like to know what malware did this as well.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Virus problems - a sad story

David H. Lipman wrote:
Quoted text here. Click to load it

I'd like to know, too. But I didn't keep a record of what was cleaned.
Shoulda, I guess, but I was too intent on getting the job done. Went
into a kind of trance -- this was the first and so far only time I've
had a really serious event. Afterwards, when I surfaced from my dazed
condition, I was hoping someone would recognise the symptoms and provide
a name.

I see my editing cut out a chunk of my original post. FYI, I used
Stopzilla to undo the policy change that prevented reinstalling the AV
software. Ran it from a USB key. Then I reinstalled the AV software,
first d/l the latest versions in most cases.

Stopzilla was the only one that showed a policy change. O'wise, it's an
average program IMO.

HTH

Re: Virus problems - a sad story

Dave-UK wrote:
Quoted text here. Click to load it


I have no idea. The AV software cleaned out a variety of rogues,
trojans, viruses, etc. They weren't marked "I did it, heh heh!"

Cheers,

Wolf Kirchmeir

Re: Virus problems - a sad story



Quoted text here. Click to load it

 
Quoted text here. Click to load it

Don't you look at log files ?
Don't you look at what your AV is telling you ?
Aren't you even remotely interested in something that causes such catastrophic
failure ?

 

Re: Virus problems - a sad story

Dave-UK wrote:
Quoted text here. Click to load it

Yes, the only interesting ones are:
a) VIPRE setup log file, for unsuccessful reinstall, which reported
policy errors, and that this file was untrusted (!).
b) zilla5.log, which presumably is the StopZilla log. It's unreadable.

Quoted text here. Click to load it

Yes, and I used that info to decide what to do next. Stopzilla reported
trojans, rogues, etc, and policy errors, so I paid the license fee, it
did its work, and from then it was a tedious process of scan, clean, and
eventually repair and reinstall. FWIW, after I was able to reset the
policy to permit installation of AV software, none of the scans reported
anything worse than minor spybots and click agents.

Quoted text here. Click to load it

Yes, I am. Here's an extended account, as near as I remember (I made
very few notes along the way, as I kept thinking "This ought do it!" But
it didn't.)

a) I installed Lipman's Multi-Av, and started it. Downloaded Sophos and
Trend. No problems, but did no scans. Clicked on Kapersky, nothing
happened, machine appeared frozen. Clicked on Reboot, and after extended
disk activity the machine shut down.

b) rebooted. First hints that something was wrong was the user icons on
the welcome screen -- they had reverted to the defaults -- and the
absence of "Shut down computer..." button. No programs ran. Checked
directories, they were mostly empty. The Program list showed "Empty for
every program. Looked at Control Panel, Administrative Tools was empty.
Tried to reinstall VIPRE, failed.

c) decided to repair, starting with AV scans. The absence of Admin Tools
suggested a variety of things -- bolloxed registry, partial uninstall of
Windows, construction of aliases to fool Explorer, etc. When I clicked
on an App folder, there were very brief "blinks" of one or two windows,
could not read anything in them of course -- hence my guess that
something was interfering with Explorer. I could not determine whether
the missing *.exes were really missing, or were merely disguised. I
won't bore you with all the speculation and guessing I went through,
much of it at 4:am, when i woke up after some bad dreams. ;-)

d) Went online on the other machine, d/l a variety of AV (Malwarebytes,
Avira, etc) _including Lipman's Multi-AV tool._ I vaguely recalled a
post some weeks ago that suggested that fake version of his tool was
floating around, and thought perhaps that I'd d/l that, hence the
problem. Anyhow, the version I d/l this time works OK with Sophos and
Trend. The scans show nothing at present.  I haven't dared to try the
Kapersky.

e) installed the AV stuff on E: (the 2nd partition on Disk 0). Ran it
all, cleaned up whatever showed up. Did not back up the logs, that
thought didn't occur to me until later. I was too focussed on just
getting rid of the damn malware, you see. Keep in mind that aside from
some cancelled admin functions and the absence of application files, the
machine ran OK. (I did miss Solitaire, though, the games were gone, too.)

f) Repaired XP. This brought back everything except the "Shut down
computer" notice on the welcome screen. Probably needs a registry key fix.

g) reinstalled applications, but this time on E:. FWIW, I will never put
applications and system on the same partition ever again. That was my
practice pre-XP, and I should've stuck to it. I've had a separate data
partition from as far back as I can recall.

Now, the machine is running OK, the regular scans show nothing. Apart
from an increase in my paranoia, everything's back to normal.

Cheers,

Wolf Kirchmeir

Re: Virus problems - a sad story

On 01/18/2009 05:19 AM, greywolf sent:
Quoted text here. Click to load it

Hello Wolf:

This certainly gives testimony to your tenacity.

Perhaps you did this too, and haven't mentioned it; would running and
examining the outputs of Autoruns 9.38 and/or HijackThis 2.02 make sense
at this point?  These would further attest to your thoroughness.

If you also ran System File Checker (SFC), that also wouldn't hurt.

I'm sure many would have flattened and rebuilt.  Wow!  Congratulations!

Best wishes to you.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Virus problems - a sad story



Quoted text here. Click to load it

Have you ever considered that the ON button should be left well alone ?


Re: Virus problems - a sad story

1PW wrote:
Quoted text here. Click to load it

Thanks, did so, didn't find anything wierd or suspect (I checked up on
unknown files on the wbe.)

Quoted text here. Click to load it

That's next. ;-)

Quoted text here. Click to load it

Ah, I'm just stubborn, is all.


Quoted text here. Click to load it

Re: Virus problems - a sad story

Wolf K wrote:
Quoted text here. Click to load it

After all that I'm still don't know what AV you were originally running,
  please post so I'll know not to use it.
Are you aware of image backup programs, they do come in handy.
Dave Cohen

Re: Virus problems - a sad story

On 01/20/2009 07:59 AM, Dave Cohen sent:

Snip, snip...

Hello Dave:

Quoted text here. Click to load it

Yes!  I'd like to know the answer to that one too.  However, some
otherwise good freeware/shareware AV applications, rely on /manual/ updates.

Also, some AV applications don't offer real time protection until
you upgrade to their /paid/ version.

Users can easily forget these things till after tragedy strikes.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Virus problems - a sad story

Dave Cohen wrote:
[...]
Quoted text here. Click to load it

Sorry, Dave, i misunderstood your original request.

VIPRE is the start-up AV, and was running at the time. When I tried to
reinstall it from the zip-exe file, I got a "Policy does not permit
extraction" message, at which point I realised I was in somewhat more
than usually serious trouble.

Here's what happened:

I started Lipman's multi-av, and had clicked on Sophos and Trend. The
mess began when I clicked on Kapersky.

a) I did _not_ initiate scans by Sophos or Trend;

b) the copy of multi-av may have been a rogue copy, since I d/l it from
a site found by searching on "multi-av."

c) during the clean-up, I d/l multi-av from Lipman's link, and ran both
a Sophos and a Trend scan. Nothing found. I haven't scanned with Kapersky.

HTH

wolf k.

Site Timeline