Well I had fun last night.
I think I came across one of the worst infected machines ever. On the face of it it looked like it was infected with Spyshredder and WinAntiVirus, but the problem was much much deeper than this and I had a real fight on my hands with this one.
The machine was protected with NAV and spybot S+D, but I suppose nothing will over-ride some of the exploits when a user decides to say yes and click to install something.
Spyshredder in itself is pretty nasty, but once this machine was "opened up" then the amount of viruses that can be installed on the machine just keeps going. Some of the other nasties I had to tackle were Win Antivirus, SmitFrad, SpyFalcon, SmitFraud and numerous troj_dloaders.. There was a total of nearly 100 viruses onboard by the time I got to the machine.
By which time:-
- The resident AV had been disabled.
- No other AV could be installed.
- The hosts file had been amended so that no way could you get to any AV site such as symantec, trend etc.
- The hosts file had been locked.
- IE was locked to the Spyshredder site.
- Access to control panel had been removed. - Cannot find "Control Panel"
- The ability to find any info about "My computer" had been removed and right clicking gave an error message "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator".
- Access to system restore had been removed - "Windows cannot find gpedit.msc" and "windows cannot find config.msc".
- Access to the registry had been removed. - Access to regedit not allowed.
- The machine was running painfully slow due to the fact that so many viruses were resident and every action resulted in messages urging the user to buy Spyshredder or other supposed AV cleaners and several pop-up messages saying the machine was infected.
- Access to task Manager had been removed so you couldnt kill any running processes or threads.
Yes I did all the usual stuff, safemode and despite it supposedly not meant to happen in safe mode - even logging in as the main administrator I still couldnt do things I wanted to such as access certain parts of the PC or turn off sys restore.... and WinAv was still running whilst in safe mode (do not ask me how cause Ive no idea on that one).
Scanning with spybot, adaware, edwido etc etc even in safe mode wouldnt clear the virus.. and I couldnt install a new av whilst in safe mode. Even my fav tool HJT wasnt playing in helping to remove this one.
How did I clear it? Well to be honest Ive no idea of the real process cause it was fight this thing all the way, and gain a new inroad each time.
Im putting this info up here in the hope that it may help someone else in the future.
------------
First step was being able to get into the registry.- Symantec Offer a nice tool UnHookExec.inf which can be downloaded from
here.
I then disabled just about everything I could from start-up in msconfig, which then allowed me to run...
Spybot, edwido etc in safe mode and let them remove as much as they could.
Ran HJT and was also able to clear the host file.
Rebooted into normal mode installed AVG updated with latest definitions, rebooted back into safe mode and ran scan... let that clear up about another 20+ trojans.
Virus was still resident so back to safe mode (still no access to Control panel, sys restore, gpedit.msc or config.msc )
Edited/Created the following keys in the registry
Edited User Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set Value to 0. (0 = disable restriction, 1 = enable restriction) Created new System Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: NoControlPanel
Data Type: REG_DWORD (DWORD Value)
Value Data: 0 (0 = disable restriction, 1 = enable restriction) (see screen cap below)
The above now allowed me to access certain parts of windows, so booted up into normal mode and switched off system restore. Booted back into safe mode again.
- Scanned with AVG and S+D let it remove what it could.
- Ran HJT and let it fix the following
~ c\program files\Common\WinAntiVirus\ueo7pcw.exe
~ c\windows\system32\printer.exe
~ c\windows\ system32\spool
vs.exe - caution! spool
sv is a valid windows file
~ c\program files\common\winAV 2007
~ c\program files\common\winAV 2006
~ HLKM \policies - disable regedit
Damn! the bugger was still there..
Booted back into normal mode - ran Trend Housecall - let it remove another 7 viruses.
Still there - Manually deleted the following folders:-
c\program files\Common\WinAntiVirus (or WinAV)
Ran a search on WinA* and deleted several items which related to the virus scattered on the drive such as WinAVxx.exe and uwa7pcw.exe.
It had also cleverly hidden itself in some files called shell.exe and printer.exe (extreme caution needed here to make sure you arent removing valid windows files).
Okay nearly there - the machine is almost clean - final thing to do was remove WinAV from Control Panel.
To do this you need to run a search on all *.cpl files.
I found it under something like wav.cpl
Best way to ensure youre not removing something valid is move the file to a safe folder you created such as "bin". Then drag the item to there. Then refresh (F5) control panel to see if its gone. Once you know that file is def winAV then you can bin it to eternity
---------------------------------------
Warning: The above guidelines are my experience and involve editing the registry and using powerful tools such as HJT and UnHookExec.inf which could damage your operating system. If you are unsure what you are doing then proceed with caution and I take no responsibility if you mess something up big time.
This virus is particulary nasty since it opens up the infected PC to other trojans which may cause more damage. Its self propogating and hides itself in what could be valid system files and disables many functions to avoid removal. Unfortunately none of the AV tools I ran were fully able to remove this completely and the above has been written in the hope that it can help someone else in the future.
I strongly suspect (although I have no proof of but talking to the teenage kids that use the PC) that this virus originated from one of the "You've received an e-card from a friend" ilks which came through on MSN. Once resident it spawned multiple trojans of various types which made it so hard to eradicate.
[attachment deleted by admin]
