Jump to content

Recommended Posts

Having resolved the problem after much difficulty, I wonder if there is a better way to fix this issue? With the benefit of hindsight I wish I had taken more notes along the process. I thought I had seen this malware before, so was surprised when the system appeared totally inaccessible.

The Windows XP SP3, IE8, AVG 2011, system booted up into the classic view with only one user, desktop was blank, and clicking on start panel indicated that all items were blank, couldn't even load the task manager. Up popped a screen which indicated that the hard drive was damaged, registry was infected, and ram was suspect!

Okay I thought this is a virus, Safemode, and last good configuration made no difference. Using the XP repair console, I was surprised when I found the 5 registry hives in the repair folder were all missing. I did a fixmbr and fixboot in case there was a problem here but made no difference. So removed hdd and ran a scan on another PC, nothing of significance found by AVG 2012. I did note that there was another partition "data" which has no drive letter, nor could I add one; I also noticed that there was no set of folders in documents & settings for the current user - were they on the "lost data" drive?

Anyway, I was able to take ownership of the "system volume information" folder and extract the relative hives from prior to when this situation first occurred, and restore the registry back to its proper location. This stopped the pop-ups, but still had the blank desktop and start panel.

However more by luck than judgement, by changing the taskbar from classic to start (I found by right clicking I could get something up!) I could get access to the C drive and to a flash drive, but the D drive was still inaccessible. Combofix to the rescue!

It found all malware and removed the offending items, and all of a sudden the system was back to normal. Malwarebytes found nothing more, nor did Spybot.

Here is the combofix deleted report: (see attachment for the full report)

c:\windows\system32\RtlGina2.dll

c:\windows\system32\Thumbs.db

c:\windows\system32\usmt\migwiz_a.exe

D:\Autorun.inf

d:\documents and settings\All Users\Application Data\M5rB8it21RoWVu.exe

d:\documents and settings\All Users\Application Data\ovLtSvlXCxH.exe

d:\documents and settings\len\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk

d:\documents and settings\len\Desktop\System Fix.lnk

d:\documents and settings\len\Start Menu\Programs\System Fix

d:\documents and settings\len\Start Menu\Programs\System Fix\System Fix.lnk

d:\documents and settings\len\Start Menu\Programs\System Fix\Uninstall System Fix.lnk

d:\documents and settings\len\WINDOWS

My question is, for future reference is there another easier way of resolving this particularly nasty piece of malware? And what is the name of this malware?

Thnaks for your advice.............

Link to post
Share on other sites

Hello and welcome to Malwarebytes

You seem to be pretty knowledgeable since you were able to get the system back up. We have experts here on the board that help with the cleanup of computers. They have tools that will help with the cleanup process. Depending on the infections found, sometimes its pretty simple and sometimes it gets pretty in depth. The steps below is what we have our members follow to get the system back in order. You can either follow them to have your computer check to make sure all the infection is gone, or you can us it for future reference.

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:


  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the

Malware Removal forum
so a qualified helper can help you fix any malware related problems/infections you may have.


  • Please read and follow the
    , skipping any steps you are unable to complete.

  • After posting your new post, make sure under
    options
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    ,

    so that you're alerted when someone has replied to your post.

NOTE:
Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.

      Or

    • You may send a Private Message to a Moderator asking for assistance.


OPTION 2

Alternatively, as a paying customer, you can contact the help desk at
or
.

OPTION 3

If you would like to use our
Malwarebytes Premium Services
, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
support site.

Please be patient, someone will assist you as soon as possible.

PS: Please use the "Add Reply" Add-Reply.png button not the Reply button when you start replying.

Link to post
Share on other sites

Yes thank you for your input, certainly helpful for future reference.

However I was wondering if any of your contributors had comme across this situation before, had a better/quicker way of overcoming it? Further does this piece of malware have a generic name?

Link to post
Share on other sites

Advice you should use a good firewall such as comodo or online armor if you have not yet have one. Don't just base your protection on AVG and xp firewall since they are standalone and they don't do much from all the years I been testing them. If you had malwarebytes pro it usually blocks rogue software really well.

Link to post
Share on other sites

  • 2 weeks later...

Okay I have another case of the same problem - the virus is, I believe. a fake SystemFix - in this case on a Win 7/64 SP1 PC with AVG 2011.

In this case I could get into safemode, however in this case neither rkill nor tdsskiller found nothing - even malwarevytes which found a couple of (irrelevant) items, has not been able to shift this - rebooting after the Malwarebytes in normal mode showed the fake systemfix virus in full glory!

Combofix resolved the problem apart from some minor general settings which had to be manually re-configured.

I guess the key point here is not to try and clear the temp folders before you remove the offending files, otherwise it does make removal more difficult.

Incidentally I submitted a couple of ".exe files to virustotal - each was identified by approx 35% of the assessors - noticibly not by Symantec!

I have xipped and attached the files in case it is helpful to the Malwarebytes team

Edited by exile360
Removed attached malware to prevent other users from getting infected (please post samples in the "Research Center")
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.