OzoneFriendly
asked on
Unknown Virus - Advice on how to find and clean the infection?
I had one machine that was completely unresponsive, but I could get Task Manager up, so I put in my USB key full of spyware and virus fixes and other utilities to try and fix it. I got nowhere;
I have since put the USB key into three other machines, and after the 2nd of those, I realised that the first machine had infected the key, and now the key was infected these machines.
Errors I have seen so far include;
WINLOGON.EXE error on startup.
Machine spontaneously reboots
Machine logs in but no explorer.exe hence no desktop icons or task bar.
On the first machine I have;
Scanned the hard drive out of the machine with NOD32; It found a range of files it thought were bad but did not specifically know what they were infected with, and some of those were windows system files (and some looked like they were, but I did not find comparable files on a clean windows machine).
I had NOD32 delete all the infected files, and I copied over good copies of the true windows files from another machine. After that, the computer still booted and logged in but still did not have icons or the start menu / task bar.
A repair install on that machine got it working, but I cannot run programs; Clicking IE, for example, does nothing, it just doesn't start up. I tried to uninstall the AV software (Norman) but that gives an error. (I wanted to reinstall it as one of the infected files was from it too).
At least one of these machines I am desperate not to reformat, so any advice on where to look or what to try would be gratefully recieved.
I have since put the USB key into three other machines, and after the 2nd of those, I realised that the first machine had infected the key, and now the key was infected these machines.
Errors I have seen so far include;
WINLOGON.EXE error on startup.
Machine spontaneously reboots
Machine logs in but no explorer.exe hence no desktop icons or task bar.
On the first machine I have;
Scanned the hard drive out of the machine with NOD32; It found a range of files it thought were bad but did not specifically know what they were infected with, and some of those were windows system files (and some looked like they were, but I did not find comparable files on a clean windows machine).
I had NOD32 delete all the infected files, and I copied over good copies of the true windows files from another machine. After that, the computer still booted and logged in but still did not have icons or the start menu / task bar.
A repair install on that machine got it working, but I cannot run programs; Clicking IE, for example, does nothing, it just doesn't start up. I tried to uninstall the AV software (Norman) but that gives an error. (I wanted to reinstall it as one of the infected files was from it too).
At least one of these machines I am desperate not to reformat, so any advice on where to look or what to try would be gratefully recieved.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A repair install may not work for several reasons, and in any case it may not remove virus infections, so I would remove the malware first, only then try the repair install. You are on the right track by making a copy first to guard against accidents.
If the machine is "sort of working", you can run HJT and post the log here.
If the machine is "sort of working", you can run HJT and post the log here.
ASKER
Just to clarify, I have a total of FOUR affected machines here :-)
Machine 1) Has had some malware removed by BITDEFENDER, is currently ghosting before I hit it with a few more scans and repair install to see how far I get.
Machine 2) Is currently being scanned with NORMAN VIRUS CONTROL in another working box.
Machine 3) Was scanned and cleaned with NOD32, which left us with the same symptoms (no task bar or icons, unresponsive). Then I repair installed it, and now most things won't run. I figure it still has an infection.
Machine 4) Cleaned with NOD32; Now it gets to the login screen, gives one WINLOGON.exe error, two GINSTALL.EXE errors, and then the login dialog dissapears. Managed to run Hijackthis on it and remove just about anything that might be suspect, same symptoms. Am currently running NGENFIX (norman), which has claimed to have removed "10 system hooks", and we'll see how that goes.
It's going to be a long night :-)
Machine 1) Has had some malware removed by BITDEFENDER, is currently ghosting before I hit it with a few more scans and repair install to see how far I get.
Machine 2) Is currently being scanned with NORMAN VIRUS CONTROL in another working box.
Machine 3) Was scanned and cleaned with NOD32, which left us with the same symptoms (no task bar or icons, unresponsive). Then I repair installed it, and now most things won't run. I figure it still has an infection.
Machine 4) Cleaned with NOD32; Now it gets to the login screen, gives one WINLOGON.exe error, two GINSTALL.EXE errors, and then the login dialog dissapears. Managed to run Hijackthis on it and remove just about anything that might be suspect, same symptoms. Am currently running NGENFIX (norman), which has claimed to have removed "10 system hooks", and we'll see how that goes.
It's going to be a long night :-)
ASKER
Oh, and when the virus/malware attacks the machine, you usually get this error message;
winlogon.exe - Application Error
The instruction at "0x7e42ee24" referenced memory at "0x76726553". The memory could not be "read".
Someone might have heard of it?
winlogon.exe - Application Error
The instruction at "0x7e42ee24" referenced memory at "0x76726553". The memory could not be "read".
Someone might have heard of it?
ASKER
Latest info;
The fourth machine comes up with the errors on startup; So I ignored them, and was able to log in, leaving the first error message on screen. I still didn't get explorer running, but I was able to start that manually and use the machine;
I can't open control panels though.
I was able to then run hijackthis, but it turned up nothing of interest (ran it through the log analyser to be sure).
I've managed to run sfc /scannow on a couple of the problem machines, but it whizzed through in a heart beat and did nothing.
The machine I repair installed is still infected, I booted a WinPE disc and ran NOD32 and it found a heap of infections.
What a nightmare :-)
The fourth machine comes up with the errors on startup; So I ignored them, and was able to log in, leaving the first error message on screen. I still didn't get explorer running, but I was able to start that manually and use the machine;
I can't open control panels though.
I was able to then run hijackthis, but it turned up nothing of interest (ran it through the log analyser to be sure).
I've managed to run sfc /scannow on a couple of the problem machines, but it whizzed through in a heart beat and did nothing.
The machine I repair installed is still infected, I booted a WinPE disc and ran NOD32 and it found a heap of infections.
What a nightmare :-)
ASKER
Looks like nobody's got any new suggestions :-(
I have noted that the filesize of winlogon.exe is unchanged on affected machines, so I think the winlogon.exe error must be related to something else the virus has messed up.
Its looking a lot like clean installs all round.
I have noted that the filesize of winlogon.exe is unchanged on affected machines, so I think the winlogon.exe error must be related to something else the virus has messed up.
Its looking a lot like clean installs all round.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>Managed to run Hijackthis on it and remove just about anything that might be suspect,<<
Can you tell us what those entries that you had hijackthis fixed???
You can look in the backup(hijackthis kept a backup copy of the entries that were fixed) if you still have them.
Can you tell us what those entries that you had hijackthis fixed???
You can look in the backup(hijackthis kept a backup copy of the entries that were fixed) if you still have them.
ASKER
Three of the machines have been clean installed... I could find no way to clean them.
The fourth I have some some hopes that after using NOD32 on the drive, a repair install will fix it. This is the only XP Home machine to be infected.
The fourth I have some some hopes that after using NOD32 on the drive, a repair install will fix it. This is the only XP Home machine to be infected.
ASKER
Oh, and combofix didn't help at all. I don't have the HijackTHis log at this stage, because I couldn't get it off the machine any other way than to save it locally, pull the hard drive out and connect it to one of my machines.
I've since blotted that drive. :-(
I do have some files that I believe are part of the problem, and I still have my USB key which is infected, so I can always reinfect a machine to play with later. :-)
I've since blotted that drive. :-(
I do have some files that I believe are part of the problem, and I still have my USB key which is infected, so I can always reinfect a machine to play with later. :-)
Also, try:
SmitFraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
VundoFix (http://www.atribune.org/content/view/24/2/)
RustBFix (http://www.uploads.ejvindh.net/rustbfix.exe)
Also, send us your HijackThis log for rpggamergirl and r-k to analyze.
SmitFraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
VundoFix (http://www.atribune.org/content/view/24/2/)
RustBFix (http://www.uploads.ejvindh.net/rustbfix.exe)
Also, send us your HijackThis log for rpggamergirl and r-k to analyze.
Oh, never mind...
Can we look at the result of the combofix scan? the log will be helpful to us and will tell us if flash drive and other infections that are present.
ASKER
Okay Experts;
I'm back to square one with one of the PC's, so I am ready to try all things you want me to try, although I do need to get it fixed sooner rather than later, so might have to re-reload it; The story thus far;
After much stress I just wiped the drive and did a clean install of Windows XP Pro. I copied a folder of installed software from the previous install (which I had backed up first), and all was fine;
Another tech then had the job of setting up the sotware I had copied across (as this is the job of this PC), and everything was going great until he ran the software I had copied back, at which point the machine was reinfected.
So, I know that those files somewhere are infected, however running a virus scan on them finds nothing.
The machine in question now just restarts during boot up, so running anything on the machine is going to be tricky.
I currently have the hard drive connected to one of my machines and am running ROOTKIT REVEALER over it, as I had a guy ring the office this morning after reading a blog post I made about it and suggest that. - Update, I can't figure out how to make it scan the hard drive, its only checking the local registry. More on that if I can figure it out :)
More to follow.
I'm back to square one with one of the PC's, so I am ready to try all things you want me to try, although I do need to get it fixed sooner rather than later, so might have to re-reload it; The story thus far;
After much stress I just wiped the drive and did a clean install of Windows XP Pro. I copied a folder of installed software from the previous install (which I had backed up first), and all was fine;
Another tech then had the job of setting up the sotware I had copied across (as this is the job of this PC), and everything was going great until he ran the software I had copied back, at which point the machine was reinfected.
So, I know that those files somewhere are infected, however running a virus scan on them finds nothing.
The machine in question now just restarts during boot up, so running anything on the machine is going to be tricky.
I currently have the hard drive connected to one of my machines and am running ROOTKIT REVEALER over it, as I had a guy ring the office this morning after reading a blog post I made about it and suggest that. - Update, I can't figure out how to make it scan the hard drive, its only checking the local registry. More on that if I can figure it out :)
More to follow.
"..currently have the hard drive connected to one of my machines and am running ROOTKIT REVEALER over it"
This may not help. RootkitRevealer can only find the problem if the rootkit is active, i.e. you booted from that disk and then ran RKR. RootkitRevealer will not find anything if the rootkit is dormant.
As long as you have your disk attached to another machine, I'd suggest running the free version of SuperAntiSpyware:
http://www.superantispyware.com/
Another good choice is the trial version of Prevx:
http://info.prevx.com/downloadprevx2.asp
This may not help. RootkitRevealer can only find the problem if the rootkit is active, i.e. you booted from that disk and then ran RKR. RootkitRevealer will not find anything if the rootkit is dormant.
As long as you have your disk attached to another machine, I'd suggest running the free version of SuperAntiSpyware:
http://www.superantispyware.com/
Another good choice is the trial version of Prevx:
http://info.prevx.com/downloadprevx2.asp
ASKER
I'll give those a go and see what turns up;
I have connected my now infamously infected USB key to a machine I have disabled autorun on, and found at least one .exe on it that has a file size significantly larger than it should be. I am submitting that to the Norman Data Defense guru's for analysis.
Norman Virus Control, my preferred AV solution, finds nothing untoward on the drive we are now talking about. I'll see if either of your suggestions can pinpoint anything suspect.
I have connected my now infamously infected USB key to a machine I have disabled autorun on, and found at least one .exe on it that has a file size significantly larger than it should be. I am submitting that to the Norman Data Defense guru's for analysis.
Norman Virus Control, my preferred AV solution, finds nothing untoward on the drive we are now talking about. I'll see if either of your suggestions can pinpoint anything suspect.
OK. You can also submit the suspect file to these two sites:
http://www.virustotal.com/
http://virusscan.jotti.org/
they do an online scan against a variety of AV engines to see if the malware can be identified. You get the results back almost right away.
http://www.virustotal.com/
http://virusscan.jotti.org/
they do an online scan against a variety of AV engines to see if the malware can be identified. You get the results back almost right away.
ASKER
Update: I scanned my USB key with a trial version of AVG Anti Virus Pro, and it found all the files infected with VIRUT. Now, finally, I know I am dealing with virus. The only question is, will I be able to clean an infected machine such that it will go back to normal?
ASKER
SUCCESS;
AVG deleted all the infected files; I replaced all the deleted files with good copies from a clean machine, and the machine booted into windows.
On that boot I got a winlogon.exe error; I did NOT click the dialog box, but instead disabled system restore, rescanned the hard drive "live", and restarted it. Now its clean and working fine!
For the record, superantispyware found nothing of interest on the affected drive.
AVG deleted all the infected files; I replaced all the deleted files with good copies from a clean machine, and the machine booted into windows.
On that boot I got a winlogon.exe error; I did NOT click the dialog box, but instead disabled system restore, rescanned the hard drive "live", and restarted it. Now its clean and working fine!
For the record, superantispyware found nothing of interest on the affected drive.
Glad to hear that. If you submit the file to virustotal.com or jotti.org you can see which AV's will catch it.
ASKER
I am still hopeful of someone either having had the same problem or suggesting a "fix it" solution that works. I'm trying all sorts of things on one machine that is affected (that I don't care if I stuff completely) to see what might help.
I'm a bit worried that a repair install wont fix it, after the repair install went to bad on the first one I tried.