A big-ass virus!

JonasK

Distinguished
Jun 20, 2008
1
0
18,510
Hi!

My computer is infected by what I believe is mutiple spyware/malware.

It started with the installation of a videocodec - then my computer became infected. Lots of "anti-virus"programs (fake obviously) started to appear on my desktop, it said "Virus alert" next to my clock, but it was fairly in control... until my father screwed everything up.. when I was away he went online and started downloading things (dont really know what it was, but I think it was updates to microsoft XP etc..)

After that everything went to hell, all virusprograms became disabled and couldnt be turned on, infact all programs with .exe at the end doesnt work, no "errors" they just wont start.

My C:\ and D:\ drive wont appear on my "This computer" (or whatever its called on the english version)

I have no access to internet, virusprograms or any other program, what should I do ?

I know it has to be done step by step and the first must be activating ".exe-programs"

I have access to CMD, Regedit and taskmanager (the last one after some tweaking) I hope any1 can help me because I got important stuff on the drives.
 

gomerpile

Distinguished
Feb 21, 2005
75
0
18,580
let me guess, heatwave virus program keeps popping up. You need a injection tool to remove the runtime codes. I've removed this but to explain the process is just too friggen hard. The kernel is infected and several files that are running in memory and every time you do something to try to remove it the virus changes its name so you really never know which file to remove.
the best I can say is create an xp cd so that you can work with the harddrives to remove the problem.
http://www.diskinternals.com/boot-cd/screenshots.shtml
The way I remove this is by using a small 6 gig hard drive wiff xp installed, this allowing me to work wiff the infected drive.
You can remove this if your good wiff files, you need to check the process and remove the serverservice can not exactly remember the name.
I had to use hijackthis to remove the service from winstock then remove all files related to that serverservice process. I cannot remember the name of the other it was a tricky one, its the file that causes the heatwave icon in your toolbar taskmanager. Or take your loss and redo the system>note always remove the Internet when removing virus.
Microsoft removal tool will remove the virus for you if you can boot the system and run the tool. You still will have the payload of that virus.
 

lolitha

Distinguished
May 24, 2006
112
0
18,630
use windows task maneger and exmaine for new services that weren't runnign ealier. if you find which belongs to viruses etc. stop them.

GO to folder option and turn on view hide files and system files

if it shows the original files backup them .
 

gomerpile

Distinguished
Feb 21, 2005
75
0
18,580
no this virus does not show up in task manager, after the virus is removed the payload does show up but you cannot delete it or stop the service, the only way is with an injection tool to remove the lines of codes from kernel32. then you are able to remove the files.
 

gomerpile

Distinguished
Feb 21, 2005
75
0
18,580
sqlmap is an automatic blind SQL injection tool capable to enumerate entire remote database, perform an active database fingerprint and much more. The aim of this project is to implement a fully functional database mapper tool which takes advantages of web application security flaws.
this is one tool now scripts are running bots to use this and inject thier codes into kernel.dill and windows core components. I use hijactthis to map the kernel.dll and display the files that kernel calls upon. You can use tools to remove the lines of code a bad site put there.
Pavark is a good tool to check the rootkits
 

techguy911

Distinguished
Jun 8, 2007
251
0
18,940
try this in this order:

spybot 1.6 scan and clean
avg antispyware scan and clean
counterspy scan and clean
superantispyware scan in safemode and clean
Malwarebytes' Anti-Malware scan and clean
RogueRemover PRO scan and clean

They can all be downloaded from www.download.com
 

donald7777

Distinguished
May 24, 2007
4
0
18,510
try this.
ttp://forums.whatthetech.com/VIRUS_ALERT_In_the_system_tray_next_to_the_clock_t92655.html
this guide usually removes all spyware i have seen
of course you have to adapt the guide for your situation with hijack this.
also disconnect from internet.

edit the address is not hot linkable just add the H in front of the ttp://
can't remember the forums hotlinking rules.
 

Hailie

Distinguished
Sep 25, 2008
8
0
18,510
It sounds like the virus, whatever it is, has latched on to the kernel and is going to be a little trickier to remove than simply booting in to safe mode and removing a known executable. If its running in the memory and changing its name to evade detection, you're going to have to isolate it carefully.

techguy911's advice seems pretty good to me. I've had good experience (if you can all it that!) by using the Malwarebytes program to get rid of bad files. Give that one a go for sure.
 

hacker16

Distinguished
Oct 27, 2008
5
0
18,510
THAT IS A VERY TRICKY VIRUS INDEED.I SUGGEST YOU USE THE SMITFRAUD REMOVAL TOOL.DISABLE YOUR AV BEFORE DOWNLOADING CAUSE C=SOME DETECT IT A A VIRUS(WHICH IT IS NOT) FORM:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
AND THEN REBOOT YOUR SYSTEM.BOOT UP IN SAFE MODE THEN RUN THE TOOL WITH THE LOGO ON IT.IT WILL TERMINATE ALL PROCESSES SO DONT FREAK OUT OR WHAT EVER.IF U DONT UNDERSTAND THIS GO TO:
http://forum.securitycadets.com/index.php?showtopic=283 AND FOLLOW THE INSTRUCTIONS.
 

Gerthella

Distinguished
Apr 13, 2009
1
0
18,510
I know less than nothing about computers but I have a popup that indicates it Windows IE which says if I my system will slow down and stop if I don't do something. Sure enough it locks the whole thing up. I've discovered it only show up on Google search engine. I can go to the same topics with Yahoo search and it doesn't show up. I have no idea how to remove it but take a little comfort at Yahoo by not seeing it any more. I've run McAfee everything and still have it.