Vicious Malware: Internet Security 2010 + Bluescreen ("of death")

I caught the Internet Security 2010 virus.

I used a malwarebytes full scan to delete it.

Upon restart, I can't get into windows. safe mode does not even work and 'last known working configuration does not work'.

Right now I'm in linux.

I would do a clean install of windows but I need the files on the windows partition.

 

http://www.michaelstevenstech.com/XPrepairinstall.htm Even a Windows Repair did not work.

 

Is there a question here? Or just a cry of anguish? If the latter, man, I feel for you. You can always try a linux live cd or one of the bootable CD versions of win XP to boot up and copy your data off to an external drive. (But be careful with that copy, the data files themselves MIGHT be infected as well.)

Gary

 

How do I fix this error while retaining my data?

Or, safely retrieve my data from linux so I can store it on another medium.

 

I tried:

chkdsk /r

(check disk repair) and it said it found and repaired multiple errors, but when I tried to go back into windows it could not.

I also tried repairing windows again, no luck.

Any other suggestions?

is there a way I can back up windows files from linux? and then store them on another medium, format the hard drive, and replace my important files?

 

Yes simply mount the partition from your Linux System, copy off your important data the virus will not run on Linux and all hidden virus executable is visible.
See that is why Microsoft should have made MSE a default install.

 

I mounted the partition using this tutorial: http://www.cyberciti.biz/faq/mounting-windows-partition-onto-ubuntu-linux/

But how do I copy the important data?

Can you be more specific, I'm not even sure I mounted the data

 

Ran into this twice yesterday--I cannot say where Internet Security 2010 began and other viruses ended because the machines appeared to have been infected with multiple other viruses for some time--but I can tell you how to get back into your computer.

It was definitely 2010 that crapped up these computers so badly the user could not even get into them like yours, though, because this infection was the onset of being locked out of the computer.

After fixing these, I still had to go in and clean them up manually as their were partial infections left behind. Sorry I wasn't taking notes, but after you get it up and running, just try running every spyware program and antivirus known to man.

I do recall there were 3 files in c:\windows\system32 all ending in *32--I cannot recall what they are now, but they were all named to sound like windows files....one was something like helper32.dll,,,,the others I cannot recall.

The source of your problem, though, is that the thing infected your Windowsnt logon key in the registry, which is what is killing you--kill the files and winlogon won't let you logon. I think that is was malwarebytes may have done.

Anyway, since you have xp3, this is what I would do.

I made a vistaPE disk
http://www.vistape.net/
and booted the computer with it. You may be able to do the same with your ubuntu parition if you have read write capability.

I retrieved a restore point from before the infection from SYSTEM VOLUME INFORMATION and pulled the 5 registry snapshot files out and renamed them:

Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM

I then dropped these in c:\windows\system32\config--overwriting the (infected) registry hives present.

Rebooted Windows. At this point, you are bypassing the virus files so Windows will start, but the actual virus files are still on your computer...but they are inert.

Like I said earlier I cannot recall all the files that were specific to this virus as there were multiple infections and I kind of lost track, but this allowed me to get back into the machines, clean up the damage and get them back up and running.

I doubt MSE or anything is going to save you from problems like this. In order to defeat a virus, an antivirus has to know about it in its virus definition. Barring that, you're relying on the heuristic components of AV programs which tend to look for oddly names files, but virus writers are making these things with normal sounding names--that and they change the virus every few weeks to avoid AV programs.

 

I will try your VistaPE method and get back to you. thanks

 

Also of note: both machines also had rootkit infections in addition to Internet Security 2010. I don't know if this was part of the infection or a separate infection.

Rootkit infections will not be detected by many av and spyware programs, so do a check with something like gmer as well.
( www.gmer.net)

 

I will try to use WineHQ to run the VistaPE.exe (exe file) in Ubuntu.

 

What I mean is Poster probably downloaded it and installed it not an accidental infection. It is because of confusion hence people download any crappy malware calling itself anti-malware.

 

haha, I did NOT, download and install "Internet Security 2010"...

It's making headlines and installs itself as far as I can tell.

Internet Security 2010 Virus Removal Only With Spyware Doctor

I had only one user running as administrator, and Avira at moderate, so I think that is where the problem lies.

 

1)The malware has to have a point of entry website or something otherwise it is a worm and worm seldom hit system with dynamic IP address especially with router firewall
2)It cannot elevate system permission itself someone has to give it (unless it is xp).

 

1) obviously
2) not true

3) I don't understand the point you're trying to make...

 

It means someone accidentally
1)Visit some website which launch the malware
2)Downloaded the malware.

2) is true Windows Vista/7 has a UAC which most malware cannot bypass.

 

64) UAC can and has been disabled by many vista and windows 7 users.

bottom line) Let me grab my time machine, go back in time, purchase windows 7, back up my files, install windows 7, keep UAC enabled... and prevent losing all my future data. Thanks for your help, I really appreciate it...

 

ARom,

At this point you are better of just writing off the existing OS and applications and ONLY worry about recovering your data. As I said before you need to create a bootable WinXP or Vista CD, (i.e. a fully operational OS that boots from a CD or DVD: Google for "BARTpe".) then copy all you data off the machine and disinfect the data. Then wipe the drive clean and start over. Anything less is going to leave behind doubt that you got rid of the virus completely.

Gary

 

Solution

I found my windows files in "file system/host" (ubuntu).

All windows files of a wubi ubuntu install are stored in "file system/host". (courtesy of ubuntu forums.org)

For future reference:

- If you did not do a wubi install but the normal ubuntu install, simply click - Places/x.0 GB Media (computer, x.0GB Media)

- If you did not do a wubi install but the normal ubuntu install, and you cannot see the Media Drive, try mounting your windows drive with the ntfs configuration tool: http://www.psychocats.net/ubuntu/mountwindows

- check: "filesystem/host" regardless

- If you do not have any version of linux installed but have come across this problem (any Bsod or 'blue screen of death'), boot up a live ubuntu cd:
http://www.howtogeek.com/howto/wind...backup-files-from-your-dead-windows-computer/

- If you do not have any version of linux installed and prefer a windows based alternative to seek the files on your hard drive try a live windows cd: http://www.dedoimedo.com/computers/livecd.html (Bart's PE Builder)

Also

If you're going to run as administrator in Windows XP, make sure you raise the level of detection of your anti virus (high), and make it start earlier when windows boots up. Then you need a program like Malware Bytes Live Protection to compensate for not having Windows UAC because Avira, Avast, Eset, Norton etc.. have not been able to stop this one.

Otherwise, running as a Power User & or Limited user do not have access to your /windows files.

 

So my solution did not work?

 

It might work, but I did not have a blank disc for Bart's PE builder. You can get it running with WineHQ in linux however. Without linux and wineHQ installed you'd need another machine to burn the live disc. vistaPE does not work in linux because WineHQ cannot install windows server 2003.

But even if you had to burn one live disc, I suspect that a live ubuntu disc is a better option than the windows clones. There are various ways to copy the data from the windows partition once in linux. And Linux is more robust than Bart'sPE or vistaPE in terms of support and security if you need time to find a windows xp/vista/7 disk to reformat the drive or just to convert the files and get some work done, or email, etc..

I can even see all of the windows/windows32 files, but I can't be bothered to try and manually delete the virus, reformatting and a reinstallation will guarantee it's gone.

 

Solution

I found my windows files in "file system/host" (ubuntu).

All windows files of a wubi ubuntu install are stored in "file system/host". (courtesy of ubuntu forums.org)

For future reference:

- If you did not do a wubi install but the normal ubuntu install, simply click - Places/x.0 GB Media (computer, x.0GB Media)

- If you did not do a wubi install but the normal ubuntu install, and you cannot see the Media Drive, try mounting your windows drive with the ntfs configuration tool: http://www.psychocats.net/ubuntu/mountwindows

- check: "filesystem/host" regardless

- If you do not have any version of linux installed but have come across this problem (any Bsod or 'blue screen of death'), boot up a live ubuntu cd:
http://www.howtogeek.com/howto/wind...backup-files-from-your-dead-windows-computer/

- If you do not have any version of linux installed and prefer a windows based alternative to seek the files on your hard drive try a live windows cd: http://www.dedoimedo.com/computers/livecd.html (Bart's PE Builder)

Also

If you're going to run as administrator in Windows XP, make sure you raise the level of detection of your anti virus (high), and make it start earlier when windows boots up. Then you need a program like Malware Bytes Live Protection to compensate for not having Windows UAC because Avira, Avast, Eset, Norton etc.. have not been able to stop this one.

Otherwise, running as a Power User & or Limited user do not have access to your /windows files.