[Judas]

Today i received a machine that received a "more" unique virus/trojan of some sort... the user has a paid AVAST subcription with all the bells and whistles and it didn't catch it.

I can't get rid of it easily either..

Now most of the common fake things generally are easy to get rid of, and don't really fuck up the system much... maybe a few internet redirects or whatever...

this one is different.

it sets ALL files, including hidden and user files to a hidden and read only state, and trying to reset them back is impossible.

It also disables most of all the admin functionalities, more so then just the taskmgr and regedit/msconfig... it does the whole wack of things... safe mode is a no go either, and manually creating a new account through other "ways" and attempting to do a windows install over it seems to have no effect the moment it loads into windows.

Furthermore, it gives bogus warnings and critical errors that EXACTLY mimic windows vista/7 warnings, but brings them to the front as a systray icon and in your face messages. IDE/SATA failures, CRC failures, Warnings about high Physical RAM usage and on and on and on and on..

I'm currently trying to backup the pictures and documents but having very little luck in preventing the virus from moving to the flash drives with an "autoexec" that fires the moment you plug it into another machine (glad i've a dummy machine for this purpose)

It looks like it uses all the excisting stuff that windows has, i mean it actually pulls up the "system restore" window and dates and allows you to appear to restore to a previous date.... and doesn't "fail" but on reboot it doesn't do anything.

This is a mean virus.. and it can't seem to get a clear name of wtf it is.

I just know that a fully up to date Avast Paid for subscription didn't stop it at all. And the virus was able to quarantine it and make it appear to be working "with no issues" ....

Bad stuff.....

BTW, UAC was disabled previous to this.....

Computer is a dell..... not more then 5 months old too.

Just figured i'd give everyone a warning.

[Jac]

Sounds like the Windows Repair virus. Disables Task Manager, stops exes from running, hides all you files and folders then puts up this screen telling you your drives are failing etc etc.

I've had it twice in the last few months. MalwareBytes Anti-Malware got rid of it for me. Hopefully it has not mutated into an even worse version. I have just freshly re-installed Windows 7 (not because of the virus) and strangely programs still do not appear on the start menu).

For years I never bothered with AV software but this piece of shit has caused me to turn on UAC and install Avast.

[Tipstaff]

This ones been running around for about a month or so now. I had to fix about 5 systems the first week this bugger came out, and about 1 a week ever since.

Scan the drive using a boot disc that has an AV software on it (such as the Kaspersky Rescue 10 boot CD, which has update support). If you have other bootable discs that have scanning software on it, use them. Clean as much as you can. Then using either a Ubuntu boot disk, Hiren's Boot CD that has MiniXP, or some sort of XP/Vista/Windows 7 bootable disc (anything that has a miniOS on it) change the hidden permissions on all the files/folders you want to copy, and ONLY those files/folders, copy them to another drive, then bite the bullet, and reinstall Windows.

Trust me on this, Judas. It is THE only way to fix this 100%. Not so much because of the virus itself, but because of the time involved unhiding files, which in some cases you cannot, or even if you can there's files that should be hidden that you would be unhiding. If you try to fix this you are in for a world of frustration and hurt, and you'll will be wasting hours on 1 machine. I should know.. I did the same thing on the first one I cleaned.

[mkk]

Immunising USB drives with this Panda tool is a good idea: Panda USB and AutoRun Vaccine | Panda Research Blog I don't know about this virus but I don't think that the Panda USB protection has been defeated yet.

[Tipstaff]

I still can't determine how these people are actually getting this virus. At least 2 of them don't use USB devices. It's still possible some of the others got it that way, so I can't rule that out as a definite. Web browsing/email is still the number 1 culprit at this point.

Anyhoo, I can't stress this enough: DO NOT use Windows to copy files. To put it bluntly, you'll get c*ck blocked on so many different levels it's not funny. Just boot from a CD that has a mini OS on it, like BartPE or in my case I use the Ultimate Boot CD for Windows 3.60 (UBC4Win).

Edit: um.. just realized something. You might not want to use the Ubuntu Linux disc to copy the files as the permissions "might" get messed up. However, you might be able to use it to copy the files to another drive, but do use Windows once it's up and running again to copy them back.

[Judas]

Well i basically deleted most of the partitions and such as it even infected the dell restore partition and windows 7 hidden system partition, and i'm not sure ... i've never seen dell do it so i'm assuming this other hidden partition that is approximately 1mb in size that has no drive letter or anything was also the virus.

I used a bootable ntfs simplified dos style with usb support to get to the documents and pictures to transfer them to the usb drive i've got, which seemed to work. The few other updated as of yesterday afternoon also didn't pick anything up.... malware bytes didn't do anything either....

so i'm guessing it's a new breed or something that left the machine completely screwed.

Either way.... i used seatools to do a low level format of the drive...

However using the windows 7 x64 SP1 home premium disc to reinstall.... it got as far as begining to do the install (copy files) when it failed...

Only time i've ever had windows 7 fail to install clean has been due to memory errors or hardrive crash.... Seatools didn't registered any bad sectors and never gave a lick of issues.. so currently running a memory test out of pure "making sure" at the moment.

Yeah i wasn't going to take the time to try and unhide certain things.... as the entire machine was already experiencing far to many "issues" with windows is basically a swiss cheese state. Figured quickest and most trouble free way and for the custmer was to just backup the data and wipe it clean....

Hopefully i can get windows 7 to install properly..

The dell is a inspiron Stuido (the big 22" or so size touch screen all built as a screen+computer together.)

damn thing runs damn damn hot....