virus on pc, please help

Razzmataz73
Razzmataz73 used Ask the Experts™
on
I have a friend that clicked on the Inviatation card.zip file from something she thought was from Twitter.  I installed Spywarer Doctor which a Google search said would fix the issue.  it found a ton of things, but once I restarted it keeps getting bluescreen with:  *** STOP:  0x000000E9 (0x86DC23C8, 0x00000000, 0x00000000, 0x00000000)

I then restart and then it goes to spyware doctor again, it finds some issues and then the blue screen again... etc..

can someone help me get rid of this virus?

Here is some info I found at:
http://versatile1.wordpress.com/2009/06/26/false-twitter-invitations-leading-to-spyware/


False Twitter Invitations Leading to Spyware?
2009 June 26
tags: protection, Scams, Trojans, Twitter, Virusesby freewareeliteIm sure some of the people who read this post follow

Welcome to the Underground Blog and maybe other blogs  by Twitter. However, did you know that some hackers send false

Twitter invitations to lure people into installing spyware or downloading viruses?

Ever since Twitter became the major channel for information spread by Iran presidential election protestors, its popularity

has rocketed upwards. Even the news of the Phoenix discovering ice on Mars was first announced on Twitter. However, all good

things have a bad side. Cyber criminals are now sending false Twitter invitations to prompt installation of Trojans and virus

worms!

From the format and content, the false invitations looks like that its a real one sent by the Twitter official site.

However, if you look at it closely, youll find that the false invitation does not have the inviting link in contrary to

the real invitations. In its place is a link that downloads a file called invitation.zip in the background that you cannot

control, and lures the people who are considering joining Twitter into downloading the virus contained in the

invitation.zip.

The virus in that zip file has been identified as a worm W32.Ackantta.B@mm by ESET nod32 antivirus (its definitelyNOT an

email address!). This worm earlier appeared in Februarys invitation card attack, which collects email addresses from the

infected computers, and copies itself to those multiple addresses (this is how its supposed to work, but its usually

blocked 90% by stronger av programs such as ESET or AVG).

I remind readers to upgrade their antivirus and communication software to prevent getting infected.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Rob HutchinsonTech Lead, Desktop Support
Commented:
There's more than one option that other people will post here, but an easy fix might be to try booting into safe mode with networrking and download and install Malwarebytes( www.malwarebytes.org)

Run this in safe mode, and see if it finds anything, you might also need to disable the system restore to prevent the virus from reinfecting your computer.
Though not as effectice as Microsoft intended it, you may first try to do a System Restore back to a point before this occurred.
Rob HutchinsonTech Lead, Desktop Support

Commented:
I'd also run thhe disk cleanup and also remove all the files from the temp folders in
C:\Temp, C:\Windows\Temp, and
C:\Documents and Settings\yourloginnamehere\Local Settings\Temp

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thank you all for your prompt responses.
 
It turned the system restore off and it won't let me turn it back on.
Whenever I try and reboot in any mode other then normal it goes bluescreen.

I am running the disk cleanup now.
Rob HutchinsonTech Lead, Desktop Support

Commented:
Did you download and run Malwarebytes?

Author

Commented:
Still having issues with it going blue screen.
Please help.
nothing suggested so far is working.

Author

Commented:
No I ran spydoctor and it was still going blue screen.
Installing and runing malware now...

Ran malware and it shut itself down and now I get a message saying:
c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item.

(Note: there is only one user for this pc).
Rob HutchinsonTech Lead, Desktop Support

Commented:
Is the user account you are using in the local administrator group or does it have Administrator privileges?

Okay, if it already in the admin group, you might have to remove the drive and scan it using another computer. It's obvious that the virus is messing it up and preventing you from cleaning it normally.

What kind of computer is it, and what type of hard drive is it?

Author

Commented:
It is an optiplex gx520
You can create an A-V  boot disk with www.ubcd4win.com (add the Kaspersky add-in) or www.freedrweb.com. Then scan using the CD.

UBCD4WIN also will contain other tools that may be helpful in beating this.

Author

Commented:
I had my flash drive in that computer, and when I put it in my laptop my kaspersky caught something:

7/17/2009 5:02:45 PM      Detected: Trojan.Win32.Buzus.bogy      F:\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe      

Does that help at all?

Author

Commented:
If it comes to taking the hard drive out is there a company (circuit city, best buy, etc..) that you could suggest that would be able to clean the pc for us?
Rob HutchinsonTech Lead, Desktop Support

Commented:
Yes, your flash drive is also infected.

On your desktop, you can remove the drive fairly easy without tools. You could try and attach it to another desktop computer as a slave drive( pretty sure this computer uses SATA drives).

Before you attach it to the other computer, load malwarebytes on the computer annd download updates.
With thhe power off( obviously) attach the drive to the second computer and boot into safe mode before scanning it.

If you do not have another computer with a slave SATA drive connection, There are cable kits that let you attach the drive through the USB port:
http://www.vantecusa.com/front/product/view_detail/266

Author

Commented:
Will repairing windows help get rid of the virus?
Rob HutchinsonTech Lead, Desktop Support

Commented:
Nope, repairing Windows will probably not remove the virus.

If you backup all your personal data, you could do a fresh* install of Windows and then have to reinstall all your programs without spending any money.

*Wipe the existing Window's partition and then reinstall Windows back onto this drive.
Make sure you backup at least your desktop, favorites, annd My Documents folders.

This really is a pain in the ... way to go here, but if you do not have a way to attach the drive to another computer to get it scanned, it might be your only way to clean the drive.

Repartitioning the drive will, of course, wipe all your programs, program data files, etc. So make sure you have all your important data backed up.

As another thought...depending on how old the computer is:
You could just buy a new hard drive, do a fresh install of Windows on this drive, load a "good" AV program on it then attach your old hard drive as a slave drive to clean it and copy over whatever data you might need, or after you clean it, mmake it the main drive again an attach the new drive as a slave to make backups on in the future.

Author

Commented:
Just to verify, no one here know how to clean the pc after someone downloaded the Invitation Card.zip without disconnecting the hard drive and connecting it to another pc.

Correct?
Rob HutchinsonTech Lead, Desktop Support

Commented:
Well, not me, other than booting into safe mode which will prevent the computer from loading the virus into memory...but you said your computer blue screened when trying this, right?

Maybe someone else has some ideas.
Read my earlier post about creating a bootable CD. By booting from the CD, it will load the OS from the CD and not the hard drive, therefore giving you full access to the hard drive without the problem of having any open files on the HD. In the case of viruses that disable certain A-V programs that are installed on your computer, a bootable CD is helpful.

This particular trojan looks like it can spread through attached drives and network shares, so be carefull what you attach to this computer until you are sure it's virus free.

Here's what Symantec says about this virus:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-022520-1425-99
Read the Technical Details tab and also be aware of suspicious autorun.inf files that get launched when a drive is accessed.

Author

Commented:
Thank you notacomputergeek.
I am downloading UBCD now.
Can I put it on a flash drive instead of a cd?

Can you walk me through the steps to boot from it?
Or is it pretty easy once the download is complete?

Author

Commented:
Also at this point I can't get into windows anymore on the broken computer.
But I do have the cd and can access the system recovory consule.

Author

Commented:
notacomputergeek you ROCK!
I was able to create a bootable UBCD on my flash drive, and the other pc is booting up.
I have it running Norton Go Back now.
What else should I have it do?

Author

Commented:
My computer is stuck in a mode where I tried to reinstall windows in safe mode.
But when the computer reboots it can't finish installing becouse it is in safe mode, so it just creates this endless loop.

I have looked around for the answer and it looks like I need to modify the boot.ini.
I can access the windows recovery console and I have UBCD for windows.

Can someone please outline the steps I need to do in order to change the boot.ini file?
Or even better, how to run a system restore using UBCD (if that is possible).

Thanks in advance for your help.

Author

Commented:
I understand that it is most effective in Normal Mode.
But how do I get it back in Normal mode and out of safe mode?
What's the current situation? Can you boot in any mode? If not, where exactly does it stop or auto reboot? This particular virus can disable booting into Safe Mode (see http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/ on how to restore it). Use Remote Registry in UBCD4WIN to access the C: drive registry.

How did you go about reinstalling Windows?

Author

Commented:
I used spotmau which enabled me to reboot, get out of safe mode and reinstall windows.
Then I installed Kaspersky did a complete scan, it found a TON of stuff.
I am now installing updates and fixing all the things the virus fried, including turning off access to regedit and turning off system restore.  I have been able to get those issues resolved and am working on windows updates now.
Thanks for the update - it sounds like it's getting under control. I hope your friend appreciates all the work you've done!
Rob HutchinsonTech Lead, Desktop Support

Commented:
@ younghv:

We run Malware bytes in safe mode with networking all the time on hundreds of computers, and have never run it in normal mode.

The logic is to run it when the virus is not resident in memory where most AV programs fail to clean the virus, or the virus disables the AV software.

I'll check the Malwarebytes website for more info on this though so thanks for this info, I'll give it a try.
Author of the Year 2011
Top Expert 2006

Commented:
WiReDNeT -
Here is the link to the specific discussion and the advice from one of the actual developers of MBAM - pretty sharp folks.

http://www.malwarebytes.org/forums/index.php?showtopic=17334&st=0&p=89610&#entry89610

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial