Computer Got a BAD, BAD cold!

About Truespace Archives

These pages are a copy of the official truespace forums prior to their removal somewhere around 2011.

They are retained here for archive purposes only.

Computer Got a BAD, BAD cold! // Tech Forum

1  2  |  

Post by Délé // Feb 26, 2009, 12:33pm

Délé
Total Posts: 1374
pic
Hey guys,


This isn't really tS related, but I know there are some tech savvy folks around here that may be able to help.


My computer got completely hosed by a really bad virus. It completely locked me out. I'm using my old computer right now so I can at least check emails and find some help. I don't really have any money for a virus removal service, especially geek squad. Geez, they charge $200.


Anyway, this is the situation. I was surfing the net last Saturday and got a warning of a virus. I have McAfee Security Suite and it's always updated. I started getting warnings from McAfee that attempts were being made to change the registry. I selected to block it each time it came up. Then I tried to open McAfee hoping to run a virus scan and eliminate it, but my computer froze up, so I rebooted.


That's when the real trouble started. When I logged back into my Windows user profile, my background image had been changed to multi-colored squares. I had no toolbar, start menu, files, or folders. Just that stupid colored screen. Left or Right clicking does nothing. I tried Ctrl+Alt+Del, but I just get a message saying that has been disabled by the Administrator.


Now I'm running Windows XP Pro and am the ONLY user. Or at least I should be. I tried logging in with Safe mode and noticed that there is another user profile named "Administrator" that is password protected. I did try just leaving the password blank and hitting enter, but it won't let me in. I can log into my regular user profile but I can't access anything, as I mentioned above. I'm completely locked out of my own computer. It looks like the virus created a new administrator profile that is password protected, then disabled absolutely EVERYTHING on my profile.


I tried everything I can think of. I even tried buttons on my keyboard to open something, anything. Nothing works. I tried putting a dvd in my dvd rom to see if that would even start up, to no avail. I tried booting the last known configuration, but that didn't work either. I've tried everything I can think of.


So, has anyone here run into something like this before? Anyone have any ideas how I can get back into my computer and restore access? I really don't want to reformat and lose months worth of work and have to reinstall everything again and I don't have the money right now for professional virus removal. Any ideas would be greatly appreciated.


Thanks

Post by trueBlue // Feb 26, 2009, 1:03pm

trueBlue
Total Posts: 1761
pic
Ouch sorry to hear Dele. I found this article and I hope it helps.
http://service.mcafee.com/faqdocument.aspx?id=TS100054&lang=en_US&prior_tid=2&AnswerID=16777219&turl==http%3A%2F%2Fkb.mcafee.com%2Finfocenter%2Fin dex%3Fpage%3Dcontent%26id%3DTS100054%26actp%3Dsear ch

Post by Khai // Feb 26, 2009, 1:12pm

Khai
Total Posts: 56
pic
if you can download this http://www.freedrweb.com/livecd/ and burn it to a CD, it's a bootable AV program that may help.. I've used Dr Web's Cureit! a few times and found it an excellent tool.

Post by Jack Edwards // Feb 26, 2009, 1:34pm

Jack Edwards
Total Posts: 4062
pic
You might be able to re-install windows from your CD without doing a re-format.

Other than that, basically you're going to need a bootable CD with the AnitVirus software on it.

Post by splinters // Feb 26, 2009, 1:36pm

splinters
Total Posts: 4148
pic
Can you remove your hard drive and make it an external/backup drive on another machine to copy the files over...you could take ownership of the drive then reformat your main machine. I have a cheap connector that makes a 2.5 or 3.5 inch IDE drive into an external USB drive. I fix a lot of PC's this way and have retrieved a lot of files prior to reformatting.


Maybe another idea for you...??

Post by Mr. 3d // Feb 26, 2009, 2:39pm

Mr. 3d
Total Posts: 747
pic
It sounds like you've lost your Administrator control over your computer. If you think you have a serious virus, you really need to consider doing a full system recovery (very easy to do....but you will loose all information).

Before you go to this extreme, try this:
-- go into (Safe Mode)
-- open (Start Menu) and go to your (Control Panel)
-- open (User Accounts)
-- select (Manage Another Account)
-- open your computer named account and make sure that you are the Administrator (check Administrator box)
-- close the window to your account and open up the unidentified Administrator account (the Administrator account that you did not create)
-- (Delete it)
-- go back to your (Start Menu) and instead of selecting (Restart), select (Switch User)
-- select your user account
-- this recycles you back to (Safe Mode)
-- (Restart) your computer from Safe Mode

Let me know what happens.

Post by v3rd3 // Feb 26, 2009, 3:51pm

v3rd3
Total Posts: 388
If the bomb that hit your machine got past an updated McAfee you may have been hit by a rootkit. They vary in the depth and strength of their attack.


It sounds like what has hit you is a bad one. Geek squad is likely not your best place to find professional help unless the individual servicing your machine can explain exactly what has happened. The only players in the game that can do this are serious hard core security personnel.


I had a machine infected with a rootkit 2 years ago. The rootkit was set up to add my pc to a file sharing ring. Some of what I found was not for the faint of heart. I spent 2 weeks hacking my bootstrap and startup, reinstalling etc. I ended up simply abandoning the hard drive and reinstalling "everything". I was able to email myself critical files etc. Fortunately these guys don't seem to hack .cob.


For a background on rootkits and a tool that can expose them go to:


http://technet.microsoft.com/en-ca/sysinternals/bb897445.aspx


If you get control of your machine following Mr. 3d's suggestion, download the rootkit revealer and see what it tells you.


Good Luck, I hope your recovery is a success.

Post by Délé // Feb 26, 2009, 8:07pm

Délé
Total Posts: 1374
pic
Thanks for the ideas guys. I'll mess around a bit more and see what I can do. That rootkit doesn't sound good at all. I hope I don't have that. I really don't want to lose the information on my hard drive. It would be literally months of work, gone. I don't know why I hadn't thought to back it up on my external drive. My computer is still so new, I just hadn't thought to do that yet I guess. :rolleyes:

Mr. 3d: Thanks, but unfortunately I have absolutely no access to anything. Even in safe mode it's completely blank. No start menu, no task bar, no files or folders, no Ctrl+Alt+Del, no mouse clicking, nothing. I am completely locked out. I've never heard of anything as bad as this before.

I did talk with a customer service rep at geek squad and told her in detail what is going on. She sounded confident they could fix it, but you never know I guess. They could just always say that to get the business. $200 would definitely be a hard hit, especially so close to tax time. I may give them a shot as a last resort though.

Thanks guys. Very much appreciate the help. ;)

Post by v3rd3 // Feb 26, 2009, 9:17pm

v3rd3
Total Posts: 388
Another thought would be to contact McAfee. If your anti-virus was up to date perhaps they can offer some suggestions/cures. Usually if there is a new bug and they don't catch it they will take a trouble ticket and find a cure.


I seem to remember downloading a specific bug fix from their web site, years ago, the fix worked. My group did not report the bug but the fix was available between updates.


Good luck again.

Post by Mr. 3d // Feb 26, 2009, 10:22pm

Mr. 3d
Total Posts: 747
pic
When I turn on my computer, I can continuously tap on the F10 key and it will access my Bio Screen (just like I can access my Safe Mode screen by tapping F8 upon initial startup). Inside your Bio screen, you can access your passwords and erase them.....This may get you back in control.

Post by chamaeleon // Feb 27, 2009, 8:07am

chamaeleon
Total Posts: 74
Perhaps it might be worthwhile getting Knoppix (http://www.knoppix.net/) onto a CD and boot from that and see if you can access the disks read-only at least and copy important stuff to an external harddrive or something.

Post by Finis // Feb 27, 2009, 12:13pm

Finis
Total Posts: 386
pic
You've surely tried this but just in case: can you boot from the McAfee CD?

Post by Délé // Mar 1, 2009, 7:54pm

Délé
Total Posts: 1374
pic
Thanks guys. ;)


Well, I'm still not out of the woods yet, but I did finally catch a break. I had pretty much given up, but I thought I'd tinker one more time last night. After messing around a bit I took few minutes to look something up on the internet with this old computer and left my new one (infected one) running. Finally, a McAfee message popped up warning that I hadn't updated in over 8 days. I was hoping a message like that would pop up eventually.


So that allowed me to open my McAfee Security Center. First thing I tried was running a complete virus scan. It didn't find anything (guess that's why it got by). Then I tried looking in the "back up and restore files" section to see if there would be a way to back up my work and such. From there I was able to get a browser window to pop up and WHAM! I all of the sudden got my task bar, start menu, files, and folders all back.


As soon as all that came back I started getting all those alert messages and such again. They have got to be fake. One alert warns that my computer is infected and I have to run a spyware program to get rid of it. If I click "OK", it tried to bring me to a website "www.easyfastdirect.com". Not sure what that is, but I'm sure it's not from a standard Microsoft message. There is a stupid thing in my taskbar that keeps making these messages pop up and when I click that, it tries to bring me to that website too. I was also getting pop up advertisements and crap as well.


I was able to update my McAfee though. Then I did a lockdown and ran the virus scan again. This time it found a whole bunch of problems. It was able to fix or quarantine most of them. There are a few that need a reboot before they'll be wiped out and one that couldn't be fixed.


I checked out the one that couldn't be fixed and it looks like the Trojan got into my Winlogon.exe file. It looks like McAfee tried to terminate the processes from that and it couldn't. So I found an app on the web called Process Explorer. This program allowed me to see the processes since I can't open my task menu (I think because of the hacked Winlogon file). So I found some info on the web stating that you can stop the processes for the Winlogon and when you start the computer back up it will reset.


So that's where I am now. McAfee wants me to reboot my computer to finish wiping out some files, and I have to reboot to reset the Winlogon. However, I can't reboot. When I try to reboot or shut down it does nothing. It's just as if I hit cancel. I don't want to do a hard shut down because then I don't think it would finish what it needs to do.


So as of now, I can't get into my task manager, can't get into my registry, can't reboot, and those stupid "fake" alert messages keep popping up. Oh yeah, and I still can't change my wallpaper. I'd love to get rid of the stupid multicolored squares, but when I open my Display Properties window, the wallpaper stuff is all grayed out. The thumbnail display looks all goofy too, like a fragmented image. It's strange.


However, now that I have access to at least most stuff, I should be able to clean things up (once I figure out how). At the very least I should be able to back up essential work files and such (whew).


If anyone has more ideas now that I have some access to stuff, I'd still appreciate any feedback. In particular it looks like I need to resolve that darn Winlogon issue. I need to get those alert messages to stop and gain access to my registry, task manager, and display properties too.


It is good to see my files and folders again though.


Thanks for the help guys. ;)


Oh btw, in case anyone is wondering, the detection name of the Trojan that nailed me is: Spy-Agent.bw!mem :mad:


I would love to get my hands on whomever wrote that fun little piece of software.

Post by Mr. 3d // Mar 1, 2009, 8:18pm

Mr. 3d
Total Posts: 747
pic
If it were me, I'd burn all my files to disc and then do the Hard shut down (only because I have no problems with shutting down that way).....sometimes it is necessary to do. Also, any warning that pops up and is not from McAfee is fake.

Post by TomG // Mar 2, 2009, 3:37am

TomG
Total Posts: 3397
Yes, fake messages about needing a virus scan, which take you to fake anti-virus programs that are really viruses, are an in-thing in the virus world right now it seems :( These are often done on web pages as ads etc too.


So looks like they've installed something similar to what is seen on the web directly on the machine. In a sense, that might be good - it is still trying to get you to download more virus stuff, which could mean the worst of the stuff isn't on the machine yet.


I hope you get all your files recovered of course, be super careful and make sure none of them carry the virus forward to your next install or your other machine. I had never heard of a virus being this bad :( Keep us updated on how you get it defeated!


Tom

Post by Jack Edwards // Mar 2, 2009, 4:21am

Jack Edwards
Total Posts: 4062
pic
That one is a friggen pain. My brother got it on my dad's computer.

Spybot and AVG were able to get rid of it, but it took a bit of work. You have to set Spybot to scan on boot. It will stop the boot process halfway and scan before the crap gets loaded.

And YES you want to do a hard power off after running the scan - pull the plug from the wall. A soft power off will allow the virus/spyware to re-install itself on shutdown.

Words of advice: NEVER click on any broswer window that says something like "Your computer is infected" or "Spyware found!" And if you see one of those use taskmanager to terminate your internet browser ASAP! (Or pull the plug on the computer.)

Post by TomG // Mar 2, 2009, 6:13am

TomG
Total Posts: 3397
One thing on those browser pop ups is that any button, even cancel, is usually not cancel. So I can see why kill it in task manager rather than cancel, or even use the windows "X" button (which may also be hijacked).


Not saying this is what happened here, but just since the topic of false spyware messages coming up arose, figured it was worth mentioning the browser versions that are proliferating.


HTH,

Tom

Post by trueBlue // Mar 2, 2009, 6:31am

trueBlue
Total Posts: 1761
pic
When I got rid of Anti Virus 2000 from my daughter's PC. I had it's Alerts poping up making it impossible to do anything. I located where it was and renamed the folder and exe so that it could not find itself.

Post by Finis // Mar 2, 2009, 7:19am

Finis
Total Posts: 386
pic
Now that you can back up your files I'd save 'em, wipe the system clean, and reinstall the OS and all from scratch. Just because this one was so sneaky that you never know where it is hiding.

Post by marcel // Mar 2, 2009, 7:39am

marcel
Total Posts: 569
pic
I work on external hard drives. dvd backup is not reliable. The best protection is to say that it does not matter that the PC crashes. One original on the pc and 2 copy on differents hard drive. ;)

Post by Norm // Mar 2, 2009, 7:50am

Norm
Total Posts: 862
pic
These hackers should be classified as terrorists, same thing goes for telephone sales slugs.

Post by RichLevy // Mar 2, 2009, 7:50am

RichLevy
Total Posts: 1140
pic
I got something like this a couple of years a go... Don't shut down the machine till you have all your valuable data backed up, than be prepared to format and lay down a new os fresh.

I know my experience is ancient history in the never ending virus game, but that one that got me was a big pain in the butte. I ended up getting control of the system again, after a couple of days of trying everything, I shutdown than lost all access to the system again...


Good luck, sounds like you are heading in the right direction though.


rich

Post by spacekdet // Mar 2, 2009, 8:06am

spacekdet
Total Posts: 1360
pic
I say you take off and nuke the entire site from orbit.
18672
It's the only way to be sure.

Post by Mr. 3d // Mar 2, 2009, 8:21am

Mr. 3d
Total Posts: 747
pic
Spacekdet is right:D
Total System Recovery

Post by JimB // Mar 2, 2009, 8:42am

JimB
Total Posts: 341
pic
If you have data that you cant do without then get another harddrive as Splinters has said and use the original (infected drive) as a slave or put it into a caddy to retrieve your valuable data.


Shoot all virus spreaders.

Post by Délé // Mar 2, 2009, 9:23am

Délé
Total Posts: 1374
pic
One thing on those browser pop ups is that any button, even cancel, is usually not cancel. So I can see why kill it in task manager rather than cancel, or even use the windows "X" button (which may also be hijacked).


Not saying this is what happened here, but just since the topic of false spyware messages coming up arose, figured it was worth mentioning the browser versions that are proliferating.


HTH,

TomYeah, I think that's exactly what happened here. I got a warning that my computer was infected. It looked like a regular windows alert message. I didn't trust it though because it wasn't from my McAfee, so I hit the "X" button to close it. They must have had all of the buttons, including the "X", programmed to run the Trojan. Now I know, don't hit "ANY" button from a message like that. I'll just pull the plug and reboot immediately.


I found a thread on the McAfee forums from someone who just got hit from the exact same virus as me (about the same time too it looked like). Anyway, he paid for the McAfee virus removal and although they said they completely removed it, some of the mischievous files kept showing up. So he ran a program called Malwarebytes. He said it fixed his registry problems and such. So I downloaded that to see what it could do. It found lots of problems and did seem to gain access to the registry to fix malicious changes. However, at the end it required a reboot too.


So now I have run three programs that have found and supposedly fixed the problems but require a reboot. I guess the only option now is to save my files to my external HD and do a hard shut down. I'm a little worried that the virus will spread to my external HD though, and also that the virus might regain control on start up and I'd be back to square one.


I'm kind of tempted to try to get a hold of a little cash and try the McAfee virus removal since I do have some access to my computer and the internet right now. Maybe a pro could clean it out better than I. Then again, from that other person's forum post and my knowledge of their horrible customer service, I'm a bit leery.


Ah, choices, choices. :rolleyes:


These hackers should be classified as terrorists, same thing goes for telephone sales slugs.


I agree. You know, the U.S. government has a groups of super smart people that do nothing but sit and think stuff up all day. They have super computers that can do all kinds of very complicated tasks. You would think someone could come up with a way to track these jerks down and throw them in prison. Taking control and wrecking someones computer remotely should be no different than if they broke into a home, stole personal information, and then smashed everything.

Post by Jack Edwards // Mar 2, 2009, 9:52am

Jack Edwards
Total Posts: 4062
pic
McAffee doesn't work on this virus. I have a friend who just called me with the exact same virus. He also has McAffee. My guess is that McAffee is making a fortune off of this. DON'T PAY THEM MORE FOR A SUCKY PRODUCT THAT DIDN'T PROTECT YOU IN THE FIRST PLACE. This virus has been out for months!! That McAffee hasn't released an update for this one is really bad service.

AVG is free for personal use (you can get the free version from download.com) and it blocks this one. Don't go wiping the system untill you've gotten an AV solution that blocks it, because you'll get infected again as soon as you go to any website that uses the same add service as the one that hit you previously.

Also contact the the companly that owns/runs the website and inform him that his add service is infecting people with viruses. They are liable for damage cause by that virus because his website was used to distribute it. If they do nothing about it, then they are *intentionally* distributing malicious software. Most will cancel or inform the add service very quickly.

Kaspersky is another good AV solution:
http://www.kaspersky.com/

Norton and McAffee are poor solutions that slow down your computer, provide limited protection, and seem to be only trading on their names. Be wary of any company that feels the need to "bundle" their products with new PCs, instead of earning market share on the quality of their product.

Post by Mr. 3d // Mar 2, 2009, 10:02am

Mr. 3d
Total Posts: 747
pic
I would burn all my Documents, Downloads, Favorites, etc. to separate reloadable discs. Then do a Full system recovery. This will return your computer to its original factory sent condition....all viruses eradicated !....(brand new computer again) !
You will then need to reload all of your programs and files that didn't originally come with your computer. Make sure you burn all other program downloads to disc for easy re-install access (tS, Quicktime, etc.).
Here's another helpul link...(http://forums1.caligari.com/truespace/showthread.php?t=7402)

Post by spacekdet // Mar 2, 2009, 10:08am

spacekdet
Total Posts: 1360
pic
Something you may want to add (http://noscript.net/) when you get back up and running.

Post by v3rd3 // Mar 2, 2009, 3:15pm

v3rd3
Total Posts: 388
ALERT ALERT ALERT.... Do not install Kapersky unless you are going to commit to it for life. A number of former colleagues have installed it. Kapersky does not play nice with other antivirus and some spybot tools. Kapersky hooks so deeply into your system internals that you cannot ever completely uninstall it should you choose to do so.


Dele, I would have no problem supporting the idea of using AVG as your second or third AV tool. I have used it for many generations and appreciate its reliability and completeness as an AV tool.


Another free option to try is to use Trendmicro's free online virusscan. Very effective removal tool as well.
Awportals.com is a privately held community resource website dedicated to Active Worlds.
Copyright (c) Mark Randall 2006 - 2021. All Rights Reserved.
Awportals.com   ·   ProLibraries Live   ·   Twitter   ·   LinkedIn