Question Hello. I hope you can help me. After battling hard against a virus i caught, or rather the whole lot of baddies including trojans and worms with it under the name System Security 2009 I think I am reaching the end of the saga.
What I did was using spybot, ad-aware, superantispyware, avg antivirus to get rid of the rubbish. Which according to them I managed. Now, I had been left with rootkits detected by avg, yet it couldn't get rid of them as they reappeared upon reboot. I then resorted to downloading the rootkit program of avg:- scanned, found, removed...kazaam no executable now wants to open and at login an error pops up asking me for a program msqti.exe...which I am inclined to assume its part of the trojan/rootkit business.
However, the 2 drivers avg found where in the system32 folder, both ending with extension .sys, and having the general filename SKYNETxxx.sys where xxx is a string of gibberish letters and I don't know if exactly 3 or 5 letters. Anyway, during the residence of these system files, I noticed that the hard disk only wasn't showing in the disk management part of services.msc. My hard drive is partitioned in two, so I should see two types. Also administrative privileges got mixed up. I couldn't burn a cd for example, using nero as it said I'm not an administrator (infact I am), and no disk apart from the image recorder showed. This issue of the administrative privileges is strange.
On the successful removal of.sys files, the disks are showing, but executables are not running! :( Lucky me!
Also whilst trying to understand what the hell did those system files do, I noticed rather two suspicious services running. One called darkness (with no description offered) and the other a string of gibberish mix of numbers and letters (with no desription either). I disabled them both, but still no luck.
Right now I'm running again avg in safe mode. It seems it is finding others, but not conclusive result yet.
I forgot to mention that in safe mode all programs run perfectly, which i may assume that in normal mode, it's a driver-problem related. And it is here that I kindly need your help, to guide me how to 'reset' what the bloody malware did.
PC info:
Winxp SP2
AMD XP 2600+ MHz
around 2GB Ram (1Gb, 1Gb, 256MB)
Thanks in advance,
Ian
Answer Hi Ian,
Try using System Restore by going to Start, Programs, Accessories, System Tools, System Restore. Restore back to a date when Windows was working correctly. If you do that and get Windows starting in regular mode, using Internet Explorer go to:
Click "Continue to Symantec Security Check", in the next window click No when asked if you want to close this window, that will bring you to a window where you should click Virus Detection.
Write down exactly anything it finds, then go to: http://www.symantec.com/search/ and do a search for what was found. Symantec usually has a removal tool and/or directions for removing manually. Make sure that you follow the instructions for removal, step by step, especially the part regarding disabling System Restore.
I would also suggest downloading Malwarebytes Anti-Malware 1.37 from:
Since you cannot get on-line, if you have any important data that isn't backed up, I would suggest taking the computer to the local repair shop and let them backup whatever you want and reinstall Windows for you.
If there isn't important data, you can use the Restore/Recovery CD or the Windows XP CD to install Windows.
