Solved

Virus on laptop Windows Vista Ultimate

Posted on 2012-04-12
40
708 Views
Last Modified: 2012-04-20
I have a virus on a laptop.  What has happened is all of the program files, users, etc. are gone - all desktop icons also disappeared.  After looking at the laptop, I realized that all of the folders were hidden (greyed out).  I unhid the folders and program files, program data but the virus is still there.  I was running AVG and it detected the virus, but I cannot get rid of it.
Has anyone seen this?  How do I get rid of it?

I can log into it and navigate to the internet, but still need to rid the virus.
0
Comment
Question by:manch03
  • 21
  • 6
  • 5
  • +3
40 Comments
 
LVL 6

Expert Comment

by:sarasotamac
ID: 37839295
Start with Malwarebytes, if you can install it. Run it a few times.
0
 
LVL 6

Assisted Solution

by:sarasotamac
sarasotamac earned 250 total points
ID: 37839297
Download from http://www.malwarebytes.org/ and make sure to update it before scanning.
0
 
LVL 7

Expert Comment

by:mmicha
ID: 37839340
Malwarebytes is a good program for cleaning as suggested.  You may also want to run it from safe mode rather then the normal login.  You can get to it by rebooting, holding down F8 key, and selecting "safe mode with networking".
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 250 total points
ID: 37839355
0
 
LVL 2

Expert Comment

by:PSGITech
ID: 37839388
I used to like Malwarebytes...recently it's not cleaning the infections... try Combofix

http://www.bleepingcomputer.com/download/anti-virus/combofix

You will need to disable AVG temporarily...tools ->advanced-> temp disable AVG.

Run ComboFix but only download from Bleeping Computer.

Then I do a custom install of the old version of Spybot 1.6.2 without the realtime components, the Tea Timer sucks. Update and Immunize and then Search and destroy to remove the bad guys and then run a registry cleanup CCLeaner is an affective tool.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 37839417
Whoa! Please do not use ccleaner on this particular kind of infection.  This particular nasty moves your important files to tempoary folders which is what ccleaner erases.
0
 
LVL 2

Expert Comment

by:PSGITech
ID: 37839819
After the infection is cleaned use CCleaner for registry cleanups
0
 

Author Comment

by:manch03
ID: 37840580
In safe mode running anti malwarebytes a second time. Waiting for that to finish. The last scan found 3 trojans and i removed those. It takes a while so I will get back with you
0
 

Author Comment

by:manch03
ID: 37840763
Second scan - same 3 viruses , selected to remove and rebooting again.
0
 

Author Comment

by:manch03
ID: 37841861
3rd scan with malware bytes and the same 3 viruses appear - it is not removing them I will go to the other site and try those solutions
0
 

Author Comment

by:manch03
ID: 37842340
The other issue - access is denied on every folder I try to open on the C drive -
annoying.  I have the user access control off and I cannot get into any folder - access is denied.  I am a local admin on the laptop - how do I get around this?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37843704
Which folders are you trying to access? There most likely owned by TrustedInstaller. Can you post the log for malwarebytes? Umm also if your getting help from another site it makes it almost impossible for us or anyone else to help you. The malware symptoms you talk about do sound like rogue antivirus infection.

What happened during this infection? Did you receive a popup with a security tool, antivirus, cleaning tool, or some other advertisement.
0
 

Author Comment

by:manch03
ID: 37848388
This has gone from bad to worse.  I tried installing the anti-virus that was suggested on the link - alvira - could not install - stopped responding.  Then I rebooted and all I get now is System Message - write fault error  A write command during the test has failed to complete  This may be due to a media or read/write error.  The system generates an exception error when using a reference to an invalid system memory address.  Cancel Try again Continue
Then this S.M.A.R.T. Repair comes up with multiple messages  hard drives diagnostic report -
hard drive boot sector reading error - critical.... and goes on and on.  Then I click on Repair and it is something that I need to purchase.  This is in normal mode - not safe mode.  There is nothing in the start menu - it is completely blank (empty).  Yesterday, it told me the hard drive was missing and it would not even start.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 37848463
This is scareware, you have Smart HDD/System Check still infecting your system, the error messages are fakes trying to get you to part with money for a fix that isn't needed.

Please read through the link I posted, run The Killer followed by MBAM, don't restart between running the two.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 37848473
Here's a step-by-step guide if you prefer
http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd
Feel free to post back at any stage if you're having problems.

Be reassured that your computer is actually OK, it's just the malware that's making it appear to be failing.
0
 

Author Comment

by:manch03
ID: 37848981
This laptop will not allow the rkill to run. It terminates immediately. Access is denied. I could not even go to that site with The laptop. I had To download it to a usb drive copy to the desktop (the rena,ed one) and it also terminated that one. Is this what it should do?  Should i run the mbam now?
0
 

Author Comment

by:manch03
ID: 37848983
Renamed one. Sorry about that.
0
 

Author Comment

by:manch03
ID: 37849029
Ok. Finally got it to run. I ended up running unhide and then ran the explore.exe file again and now making some progress. Running mbam now. Will keep you updated.
0
 

Author Comment

by:manch03
ID: 37850554
Ran mbam - found 31 bad things - removed those - should I run this 3 times to make sure they are gone?
0
 

Author Comment

by:manch03
ID: 37851286
Lost power - computer shut down - rebooted into normal mode and it looks like it is back.  Darn,  I will have to start over again.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:sarasotamac
ID: 37851321
At this point, I would recommend trying to save data and rebuild. With this many issues I would start with fresh OS. If you can save files do that and reformat. If not this could continue for a long time.

Just my thought.
0
 

Author Comment

by:manch03
ID: 37851341
That is what I was thinking - especially after 3 hours of scanning an removing and then it comes right back....
0
 
LVL 6

Expert Comment

by:sarasotamac
ID: 37851350
Sucks, but you know it will be fixed.
0
 

Author Comment

by:manch03
ID: 37851496
@Russell - no I am not getting any advice from any other site - I clicked on the link above to run the kill program, which worked.  I was following the directions on that site that the link describes above.  Should I not do that?
0
 

Author Comment

by:manch03
ID: 37851511
@Russell - This is not my laptop - so I am not sure what happened except I was told that all the icons disappeared off the desktop and all the folders appeared to be empty under the c drive.  Everything was listed as empty.  Then I realized they were all hidden and I when I unhid the files through windows, they appeared, but still were greyed out so I knew something was wrong.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37851874
Those instructions are fine. I can definitely work with that. We do need to see to the logs generated by malwarebytes and any other tools used during this process. Tell me your progress after you have attempted the above link as well.
0
 

Author Comment

by:manch03
ID: 37851907
Ok - Had to start all over and mbam is running now - has been for 1 hour 45 minutes -  I will post that log when it is finished.
0
 

Author Comment

by:manch03
ID: 37852057
Here is the log - I have not rebooted it yet - I am afraid this will come  back
I will wait for instructions  on what to do next.

Protection: Disabled

4/16/2012 9:54:50 AM
mbam-log-2012-04-16 (09-54-50).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 718595
Time elapsed: 2 hour(s), 4 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 15
C:\Windows\System32\KS0108.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\AGV.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\aslm75.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\firelm01.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\gs30s.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\GTF32BUS.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\HBtnKey.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ivscheduler.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\pxfhmdfl.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\qkbfiltr.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\rt73.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\swupdtmr.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\viaagp.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ZDPSp50.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 37852584
If it helps at this stage you need only run the Quick Scan in MBAM that will cover all the likely locations once everything comes up clean in quickscan then you could run a full scan just to cover all the bases.  Remember until you get a clear scan to run RKill or TheKiller before the scan and run MBAM without restarting.

From the log looks like you've got the Smart HDD infection sorted, you may find there's still a folder for on C: which simply needs deleting.
0
 

Author Comment

by:manch03
ID: 37852604
I am running another big scan - takes forever, but should be worth it - not sure if it is totally gone - I cannot change the background from black to a different color.
0
 

Author Comment

by:manch03
ID: 37852788
So far 9 infections found again...  I am so tempted to wipe this out, but there are many licensed manufacturing programs on it and the programmer is worried this will wipe out all the licensing, etc. etc. which it will, but if I cannot get rid of this, I have no choice.
0
 
LVL 6

Expert Comment

by:sarasotamac
ID: 37852805
I think you are wasting your time. This is so bad, even if it is cleaned, it messed with folders permissions, this laptop maybe unstable after you fix it. He got a virus, not you. Salvage what you can, rebuild, help the next person.

Surrender! White flag!
0
 

Author Comment

by:manch03
ID: 37853095
@sarasotoarnac - you are right - I bit the bullet and did the restore to factory settings - too much time wasted on this - I have to support this, so this is probably for the best.  Just hope all my copying of all the files worked and I don't copy the virus back into the laptop.  But it was a good effort.
0
 

Author Closing Comment

by:manch03
ID: 37853825
Although I could not get rid of the virus because it was too embedded in the system, these were both good tries.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37853959
I got really busy today. Things came up. You needed to flush the mbr even with a new re-install. Sorry, to say but it was possible to get it back to normal, especially with this kind of rootkit. I've done this many times over.

If its still possible you need to definitely wipe the Master Boot Record. A few tools that do this are the Win Vista/W7 Repair disk(best way) or bootrec from the Windows Installation disk(best way), aswmbr tool, and mbrfix.exe

You can also do a check/repair using MBRCheck. This one outputs a logfile to the desktop. just for future reference.
0
 
LVL 2

Expert Comment

by:PSGITech
ID: 37860935
I repeat....

I used to like Malwarebytes...recently it's not cleaning the infections... try Combofix

http://www.bleepingcomputer.com/download/anti-virus/combofix

You will need to disable AVG temporarily...tools ->advanced-> temp disable AVG.

Run ComboFix but only download from Bleeping Computer.
0
 

Author Comment

by:manch03
ID: 37865297
Even the restore from the D drive was corrupt so I wiped out the disk and reformatted - hopefully this gets rid of it right?
0
 
LVL 6

Expert Comment

by:sarasotamac
ID: 37865463
Yes it will.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37866485
Are you talking about the recovery drive that has the factory backup image? In most cases this should not be the case.

ZeroAccess does not touch the backup image. This would wipe any hope of restoring to the original out of factory condition and also troublesome If there is a lack of a vista installation disk to restore damaged system files which ZeroAccess has been known to corrupt on the main drive.
0
 

Author Comment

by:manch03
ID: 37870722
Yes, the recovery drive on the D drive of the laptop was corrupt.  I restored it and had the same problems - could not update windows at all.  In addition to having the virus it also started with this original problem.  I ended up wiping it out, formatting the drive and a clean install of windows.  It is perfect now.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

The main issue when installing Vista and XP in dual boot is when you have to reinstall any of the two when something fails, let's say a hard disk failure, a lost partition, virus, etc. What commonly happens is that you lose all your hard work config…
The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now