[RESOLVED] Very strange!

[Blakk_Majik]

In all my years surfing the internet, I've never gotten infected with what my laptop got infected with last night.

What basically happened was my fiance was "getting a file" for me and once it downloaded, she tried to open it, and she got a message saying something about "Spyware detected". She didn't try to find it before rebooting the computer, so I don't know what the restart did.

Now, I've had several viruses before. I generally just do a system restore since I always have backups of important things anyway.

But this thing I got last night has thrown me for a loop. First off, when I boot XP, nothing shows except the background and the mouse pointer. No icons, no taskbar, nothing. Try to run task manager, nope as "Task Manager has been disabled by administrator".

So when I got to work this morning (couldn't use my computer at home obviously), I went looking around Google and apparently this is a common virus people get.

I've been compiling information on possible solutions all morning, since I won't be able to get back on the net if one thing doesn't work. I've gotten a lot of information as to what kinds of things I can do during pre-boot and in safe mode, so I'll be trying those things out tonight when I get home.

During my research, I had a "duh" moment. Even though I had the system restore disc in the cd try, the computer wouldn't boot from the disc. I forgot to check the BIOS and make sure it tried to boot from cd first, then hard drive. The last time I did one though, I don't remember having to change this configuration, so that may be another bridge I have to cross.

I just wanted to ask if anyone here has experienced this virus, and if so, how did you ultimately get your computer back to normal? I was so frustrated last night, I almost went out and bought a brand new laptop (which I may still end up doing anyway), but I still want to get this one fixed as I had planned to upgrade the hd and ram.

[stanav]

If you can't boot into windows at all (normal or safe mode, it doesn't matter), pull the HDD from the infected PC out and hook it up to another PC with a good antivirus software installed and do the scanning there.

[Blakk_Majik]

I can boot up in safe mode. There's just a lot of things I could have tried, but didn't because I haven't come across anything this severe before.

What if I swap out the current hdd with another one (something I planned on doing anyway)?

[TheBigB]

Yes, I've had this for one of our clients. I don't exactly know what the result is yet, as we haven't got feedback yet... But these are the steps:
- Put in the windows disc and boot from it
- Don't go in restore mode directly, but continue
- Accept the license agreement
- The setup should now go and search for Windows installations and say there is one that you can repair
- Press 'R' to repair
- Setup will copy files, reboot and ask for you product key and stuff
- If you hit an error that it needs a certain disk for drivers just cancel; setup will continue
- I'd download a virus scanner and clear the infected files and I'd also take a run at hijackthis to remove start-up programs.

As I said, I'm not sure whether this solved the problem yet, but these steps should do the trick and get it at least back to work.

[TheBigB]

I can boot up in safe mode. There's just a lot of things I could have tried, but didn't because I haven't come across anything this severe before.

What if I swap out the current hdd with another one (something I planned on doing anyway)?

Well, you obviously have to reinstall the system, but that's something you could also do on the old disk...

[Blakk_Majik]

Yes, I've had this for one of our clients. I don't exactly know what the result is yet, as we haven't got feedback yet... But these are the steps:
- Put in the windows disc and boot from it
- Don't go in restore mode directly, but continue
- Accept the license agreement
- The setup should now go and search for Windows installations and say there is one that you can repair
- Press 'R' to repair
- Setup will copy files, reboot and ask for you product key and stuff
- If you hit an error that it needs a certain disk for drivers just cancel; setup will continue
- I'd download a virus scanner and clear the infected files and I'd also take a run at hijackthis to remove start-up programs.

As I said, I'm not sure whether this solved the problem yet, but these steps should do the trick and get it at least back to work.

For some reason, even though the disc is in the tray, it won't boot from the disc. Probably have to fiddle around with BIOS to get this working correctly.

[chris128]

Yeah you will need to put the CD drive at the top of the boot order list in the BIOS, but most PCs also have like a "one time boot menu" button. So for example you press F11 at the very first screen that appears when you turn your PC on and it pops up and asks where you want to boot from. It usually tells you which key this is on the first screen (sometimes only for a very brief moment though...)

[Blakk_Majik]

Just to update. I was able to get my icons and everything to show up in safe mode, so I backed up a few documents.

Switched the boot order in the BIOS and ran a system restore. So far so good.

This is by far the most troublesome virus/malware/spyware/whatever that I've ever had.

[Hack]

Do you know where you got it from?

[Lord Orwell]

the "disabling task manager" is a common tactic for malware (notice i didn't say virus). A virus doesn't actually have to turn task manager off since they don't show up as tasks.

My idea for a secure OS: it checks the md5 before launching the program. This would prevent infected .exe files from running.

anyway, system restore should have fixed it, but you need to take the following steps:
delete every file in c:\recycler (not recycle bin)
delete every file in c:\windows\temp
go into windows and into windows\system and into windows\system32 and delete every file with the date stamp from the day you were infected or later. Most likely will have a random name.

Finally, you need to install and keep running a spyware detector such as spybot s&d. Evidently your virus scanner is good enough to actually detect spyware but removal isn't included in the program. There are plenty of free ones out there, and spybot doesn't use up very many system resources and keeps a blacklist running that prevents known programs from even launching in the first place.

[Blakk_Majik]

Do you know where you got it from?

I was downloading a torrent, so there's no way to tell who actually uploaded it to me.

Lord Orwell,

I will be trying your suggestions when I get home tonight.

[Lord Orwell]

since you download torrents, it's entirely possible a different one was infected. Ones offhand i am aware of that are freakin-loaded are nero 8 and one of the adobe cs3 ones. If you really must download torrents, check the comments and the torrent rating. If it's got spyware someone's going to complain. And if someone says it does and it doesn't, they will get shouted down. I recomment thepiratebay.org for all your legal torrent tracking needs simply because it has a thread for every torrent. I sometimes get old software there that isn't for sale anywhere anymore. Or for example yesterday i broke a game cd (sonic the hedgehog cd) by stepping on it. I still have the cd so i can own the game etc etc.