First some questions I hope someone here knows the answers to:


Can I transfer an anti-malware program to an infected computer using a USB key, or will the key become infected? If so, can I protect the USB key?

Can I set up a USB key so I can run anti-malware programs directly from the key? How?

Usually after installation, anti-malware programs get updated data through the Internet, but I don't have Internet access on this PC now. Can I transfer anti-malware programs to the effected computer with full updates or can I transfer the updates by themselves for the software to use?


More detail about the problem in the following post.

I’m a competent computer user and my PC is well protected with Comodo firewall software, AVG antivirus software and SpyBot S&D & Ad Aware anti spyware programs. I got hit with something that has stumped me.

I broke one of the cardinal rules and ran an executable from an unconfirmed source. (I thought it was safe - but no.) Immediately firewall and spyware alarms started going off and I denied all requests. The wallpaper changed to a warning that my PC had spyware and I needed to download protection. Eventually the PC froze and would not respond to Ctl Alt Del or anything else.

I did a hard reboot. The PC froze during the reboot.

I did a 2nd reboot in safe mode. The screen was blank and the PC unresponsive.

I rebooted a number of times in various safe modes and each time the screen was blank and the PC unresponsive.

I rebooted in normal mode. All my anti-malware software was uninstalled. Not just icons deleted, but actually uninstalled. Warning and error messages come up constantly. Firefox and Explorer would both operate only for a short time before freezing. Opera worked. All sites for anti-malware software and related discussion/help forums were blocked. Also, almost all freeware sites were blocked. The display properties on the background/wallpaper did not show either Desktop or Screen Saver tabs, so the new wallpaper is still there.

Using StartUp Inspector, I blocked all startup programs which I could not identify or which I didn’t need immediately.

I reinstalled Comodo and Spybot from copies of installation files stored on my hard drive. Comodo was instantly deleted. Spybot tea-timer did work and blocked many attempts to change the registry, run programs etc. I was unable to update Spybot or have it run a check for spyware. I eventually reinstalled AVG Anti-virus. It was unable to update itself, but it did scan my hard drives. It showed no problems.

I found that ignoring the tea-timer notices prevented additional requests for access. At that point, Firefox and Explorer worked again, but could still not access mal-wear related sites.

I found the Hosts file and none of the sites which were blocked were listed there. The remarks showed that all the sites listed were placed there by SpyBot Immunization.

While searching for ways around the blocked sites, using Google’s cache and rare unblocked sites, all Internet access ended. My Internet access settings were deleted. Now I’m writing from work.

The virus seems to be “Antivirus 2009”, but there may be others involved.

What was the suspect Source?

John,

If you had a "rescue" CD, you could boot from that without the malware loading. You may want to get an external USB hard drive, take a full backup of your PC so you have documents et al, then wipe your hard drive and reinstall your operating system + all of your software. That would be a lot of work, but could be the only way to rid yourself of the malware.

When you backup your data to the external drive, I'm sure that stuff will be infected too. Make sure that you can your malware protection set on high before you attach the external drive to your PC and run a full scan before you copy anyt of your data back to your PC.

Good luck!

Rob

John,

Can you use any program to make a boot cd that will allow a scan in DOS mode. If you are having as much trouble as that then maybe it is your only chance. Not sure about the USB key either. It may be that the virus is scanning for all file and folders of a certain nature to infect them too. Also UBCD or ultimate Boot CD had antivirus tools which may help in addition to many other useful tools. Its free for the download and you only need to burn it to a CD.

It has been awhile since I've had to do a rescue, but a couple of ways to try---

Use the Windows install CD. Need to catch the Bios (F8) to switch it to 'start from CD'.
Might be able to then dig out the 'my docs' folder and download it to a USB or (probably better, a external HD. Then do real thorough scans before bringing them back in.

OR download a 'Live CD' of Linux (Ubuntu is very user friendly) and use that to explore your HD and copy off your docs.

OR remove HD and put into an external drive case ( I think I put it in a NAS/ethernet case). Install a different (old extra) HD. Run a Live CD Linux, format the HD in the computer and install. Then plug in the external. The suspect HD in that case was having weird startup problems, and attempts to reinstall Windows on it hadn't worked. It took some digging (and help from a linux forum) to get into the drive to rescue the data.

spywarewarrior.com has a pretty active forum for working through problems like this also. They have a link to a software package that records startup, then you post the log and replies come in with what you've got and how to fix. Antivirus 2009 shows up in the discussions there, btw.

I use AVG also - I thought it had an 'auto scan' feature when starting new .exe files. There is a right click option to scan downloads.

Sounds like you have a pretty thorough set of protections. About the only thing we do 'extra' is run SyncToy (download from Microsoft - though there are other good freeware backup progams) daily to echo our 'My Docs' folders to a NAS that doubles as our music server. Using delicious or diigo, etc for bookmarks, installing a new HD would only result in a loss of internet history and autologins the first time around.

"...I broke one of the cardinal rules and ran an executable from an unconfirmed source..."

Doh! There's the rub. Once you do that, you have pretty much given the rouge app "carte blanche" to hose your system. The safest bet at this point is to erase the drive and reinstall the OS and apps. Hopefully, you have copies of your critical data on an unaffected drive. If not, I would like to suggest that you do so ASAP and in the future, never store data on the same drive as the OS.

Thanks for the ideas. It's great to be have experts who know what to do and to have people who will share my frustration.

What happened was I was watching Olympic cycling events and got linked to a site where the video wouldn't come up. I was thinking I was on the VeloNews site, but in fact, I had clicked a link to some other videos site. It said I needed a different codex to see the video and I Googled the name of the codex and saw no problems, I saw that there were comments that the video was good and I hit OK. If I'd been paying attention, I would have reallized I was on an untrusted site and I would have realized that just because the exe had a name the same as a good codex, that's no reason to trust it.

Anyway. I think I do have a rescue CD, from when I set up the PC, but that was a while ago and I'll have to look for it. If that doesn't work, I'll try one of the other bootables - Linix if I have to.

This has really pointed out to me the stupidity of having regular backups to a 2nd hard drive in the same case on the same OS.

If I can get something trustworthy going, I'll download the data to an external HD, then see what I can do from there. I hope I won't have to start fresh, but I've done it before. Hope I can find those disks and that they are still in good condition.

If I do have an external USB hard drive for backup, would it be vulnerable to a virus too? Should a person keep the exteral HD turned off when it's not doing the backup or is there another trick?

Thanks all for listening and sharing my frustration.

Actually I keep several backups. One on an internal drive and a redundant copy on an external eSATA drive that is disconnected unless I am actually writing files to it. The main thing is to keep your data files on a separate drive. That way, even if your OS gets hosed, your data is still safe. Most malware attacks the OS and/or the "primary" drive or partition. For the most part a drive that contains only data files will be pretty safe. Even so, I have an eternal backup just to e on the safe side. I have files that go back 15 years and most of them would be irreplaceable at this point.

I'm not in the clear, but I've made some progress. The only way I moved forward was to borrow a friend's laptop and research the virus on that while experimenting with and trying to fix the other PC. I was able to download programs on the laptop, burn them to CD and read them on the desktop. That allowed me to fix the desktop without endangering the laptop.

I did some more research and did determine that I had the virus called "Antivirus 2009". This virus is an attempt to convince the user to buy a specific anti-virus program. It makes it look like your computer is a victim of every virus known to man, meaning that it throws false error messages. It's still pretty bad, but it's not as bad as it appears.

It makes me very paranoid about "help" sites, which may really be attempts to further mess you up to sell you something. I scrutinzied those sites very carefully. Another problem was that some of the errors which I ran into were purposeful misspellings. A capital I lowercase l, 1 and 0, O in some fonts can't be told apart, at least with my eyes. So that means I search for a report of a problem with a dll like rundll to see what the problem is and actually it has been named rundII. Pretty clear in this font, but not in the default Windows font.

I finally decided to trust a program Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) and it did a good job of cleaning up a lot of problems caused by "antivirus 2009." They will be getting a pay-pal from me for sure. Now I'm in the process of reinstalling things and being optimistic.

Check out this forum John...
http://www.malwareremoval.com/

I'm now less optimistic. No need to read on, but I feel like maintaining a log (whining) here. This morning I had what seemed like a clean system. I was still getting some notices of missing dlls, but everything seemed to work. I re-installed a firewall and anti-virus then shut the PC down and went to work late.

After work, the PC won't boot all the way up. I had tried a rescue disk which I had made two years ago and the first one worked, then it asked for the 2nd disk which apparently didn't work.

I can bring up the task manager and browse for a new task. It shows that my anti-malware shortcuts are no longer on my desktop. Trying to run anything directly from the programs folder fails. The task manager shows only 14 processes, which makes me think that the boot up was interrupted.

I'm now downloading "ultimate boot disk" on the borrowed laptop and will see what that does. I also need to go get an external HD.

Join bleepingcomputer.com They can run over a hijack this log and tell you all the steps to remove a problem.

A final whine. If I can't think of anything by tomorrow, I'll have to bring it to a pro. The computer won't boot off of the cd-rom drive. When I use F2 to specify that it should boot off the cd-rom drive, it says no drive exists. I tried it another way by changing the regular boot order in the setup utility and it had the same effect.

I can make it recognize the 3 1/2" floppy first, but I don't have any other computer which can write to a floppy. Even if I could, I haven't had great luck with this.

Pig nickles & flum buckets!

Makes me want to go truly neander. We could have a Sawmill Creek round-robin letter and skip these stupid computers.

John, have you considered perhaps a hardware/firmware problem with the computer? Not recognizing a physical drive at boot if allowed by by the BIOS is quite curious...

Sounds like something I picked up a week ago , called Antivirus 2008XP and Antispyware2008. Constantly running messages whenever I changed a site pg. or went to a site , also when I wasn't on line ( all telling me I was infected by everything but the black plague ). Totally froze and tied up my puter. Wanted to sell me a package for $49.95. Friend came over with one of those plug in thingy's with all kinds od anti- everything --nothing worked. Finally just as he was about to give up, we tried to do a restore to a week earlier ( before the sh** started ). It worked -- although I'm still leary of, if it will come back, but 4 days now ,and still ok
Roger

Just an update if anyone is interested. I finally took my PC to a pro shop. I could have done what the shop did, but I was overwhelmed with the damage and I wanted a professional opinion.

After looking at the damage, they imaged my working drive and extracted the data files from that. Then the reformatted the drive and reinstalled XP from my disks. They also replaced the CD-ROM, which was not working reliably, with a CD-R/W DVD-ROM. Cost ~~ $200. Not so bad considering.


I've been aware of and have fought viruses since they spread on 5.25" floppies in the 1980s, but this was by far the worst. This virus has effected thousands and thousands of people. If I could get hold of the evil . . . . who put this out there, I would at least sue them for the time and money people have spent cleaning their PC, then I'd get damages from them for the way they make the Internet less useful because of fear. Then I'd grab them by the . . . . and . . . . until they . . . . .

Be careful out there.