One Nasty Virus/Trojan - Kills all virus scanners

[Zyndstoff (aka Steven Gail)]

This is what I use. It is completely free and it works (trust me, I have two adolescent boys who click on everything and thus have completely destroyed the system several times...  )

http://www.paragon-software.com/home/db-express/index.html

In short: takes a complete copy of a partition/disk and saves it as an image where you want it. (Remember to check the MBR, if you backup only a system-partition).
Creates a boot-CD.

If then something bad happens:
Boot from the CD, click restore, specify path to the image, specify target drive, click go.
Done.

[edifyguy]

Sorry to be gone so much now....I work for myself, and sometimes have more time, sometimes have none. But I always turn up again sooner or later. 

Anyhow, you did NOT need to install SP3 for IE8. I just got done installing IE8 on a computer that we didn't want SP3 on. It can be done. There's an update I had to install manually, the KB# of which escapes me right now, but I unchecked the box that says to install updates and it sent me right to the download page for it. It can be done, and it wasn't hard. Sorry you got SP3 over that.....oops......

Backups are interesting....image backups have their place, but everyday use is not it, in my opinion. Image backups are good for system-state storage, but incremental file backups are much more efficient for protecting your "stuff." I use Cobian Backup 9 for that. It's tops, and it's free.

If you're having trouble with your external hard drive, try it in Puppy to see if there's a problem with the hard drive or with Windows. The fact that it said that something was accessing it when you attempted safe removal proves very little indeed. It was stuck and probably just assumed that was the reason. Don't give Windows credit for being too bright......

Cannot reconnect all network drives could be due to network settings changing. Try disconnecting them and reconnecting them and see if they stick. If you didn't think you had any......the virus tried to map a drive in Nairobi  ........... You should see any mapped drives at the very bottom of the list in My Computer. Delete them and re-map them.

When you uninstall and reinstall FireFox, you may need to tell it to clear all settings on the way out so that the new installation doesn't inherit problems from the old. FF3 is glitchy, and always has been, but 3.5 seems fine. I used FF2 and Opera until FF3.5 came out.

Glad things are working better. Oh, and Eusing is safe enough to run regularly, but I'd recommend creating System Restore points before you do, just in case it nukes a key you find you need back. It's only happened once or twice in my entire time of doing business. In spite of the amount of stuff it finds, it's actually fairly conservative in its approach. It's just more thorough than many.

[Lynn210]

Glad to see you back..

I ran Bitdefender Online Scanner just for the heck of it and it found one Trojan.
I sent a copy of the text.. the file that is infected was not in the report unfortunately.. but it was a system32 dll file something like paoly

I will try the drive in Puppy.. see what happens.

Took me 4-5 trips to MicroS Updates online and as many reboots to get all the updates.. but I finally got em!

What about Disk Defragmenter .. any suggestions there?

WIth all the deleting and what not wanted to see what the drive looked like.

-----------------------
Firefox is running much better now..
----------------------

What do you think of the virus notice.. maybe a false notice..
anyway Bitdefender says it cant fix it..

-----------------------

Loading Puppy now

[Lynn210]

Puppy had no problem reading it..

Curious.. what now.. could try renaming the drive
and maybe fool Windows..

What do you think?

--------------------
HMMM... I have another drive that something similar happen
maybe I'll give that one a try in Linux too

------------------
Does Puppy have the ability to reformat a drive.. in NTSF
so Windows can read it..

[edifyguy]

You may find dribs and drabs of virus floating around here and there for awhile, but that's not serious. Any time you excavate a serous infestation like you did you will have pieces that are left laying around. These are usually not harmful, as they are dependent on other to work properly.

I generally discourage defragmenting, as all that moving things around leaves too much opportunity for bad things to happen and also wears out the drive. The performance improvement from defragmentation is generally negligible to imperceptible. Today's drives seek very quickly.

Puppy can create NTFS filesystems, but it's a little fudgy sometimes, so I'd discourage it. What I'd suggest instead is that you plug it in, boot Windows, launch cmd, and run "chkdsk x: /f /v" subbing the actual letter Windows gave it for x: but you do need the colon.

[Lynn210]

No luck on the "other drive".. too bad.. I could use the storage space..

The drive runs.. I can feel it.. Puppy tried to read it.. the light flickered some
but it could not "mount" it

Windows did the same at the time.. I could not even get Windows to reformat
it so I would at least not lose the use of the drive. But it would  not reformat.
--------------------------

I am rebooting into Windows with the drive connected as you suggested.. it went directly into that constant read mode... Windows still cant read the drive..
Trying chkdsk
Cmd is reading it .. It identified it as NTFS
Now I am getting a bunch of unreadables .. it deleted alot of stuff
but the drive is now readable.. just have to figure out which files I lost
in the process..

Well Gee! that worked great...
I had no idea chkdsk was that strong!
---------------------------

Going to plug that long lost drive in and see what chkdsk
says.. I have already replaced the files on that one.. would
just like to have the storage back at this point.

---------------------------
chkdsk started out good on the long lost drive but then
got to a point where I get a pop up saying I/O operation was not completed
before time-out period expired.
and the drive info disappeared from "My Computer"
I know you can do a reformat in cmd .. from the old days..
maybe I could try that.. I can look up the command
Right now the drive is a FAT32 .. I would want to convert it to NTSF too.

[edifyguy]

If you have a drive that's really gone stiff, pull up Puppy without the drive plugged in, then plug it in and observe the name of the icon that pops up. For example, sdc1. My examples will assume that the bad external showed the icon sdc1 when you plugged it in. That means that the DRIVE ITSELF is named sdc in Unix terms.

This command from a console (terminal) will physically erase the entire drive:

dd if=/dev/zero of=/dev/sda

It will also take awhile, especially if we're talking terabytes here. Expect it to take 4-8 hours, so do it on a computer you don't need for awhile, or do it overnight. This will usually reallocate any failing sectors, and will erase all filesystems.

Once that's done, run Gparted. You can find it on the Puppy menu. Select sdc as the working drive in the startup wizard. When Gparted pulls up, it should show no partitions (all space shows as unallocated.) Click the "new" button. You will get a warning about losing everything. Tell it to do it anyway. (There's nothing on here to lose, as we wiped it clean.) It will do something, then it'll look pretty much the same as it always did. Select "New" again. This time, it'll give you the new partition menu, and by default it will make 1 partition the full size of the drive. Simply change the type or format to NTFS, tell it OK, then click Apply. You may get warnings along the way, just say OK.

Be warned, if you do this to the wrong drive, you'll lose everything on a drive you didn't mean to nuke. Be very alert when you're doing this, and check your commands for typos and your drive name for accuracy. Be sure, or you could be very sorry!

[Lynn210]

Well that long lost drive made it through chkdsk..
I was able to read it in My COmputer for a few minutes
then it disappeared..

Now I get a popup that says the drive is not formatted do I want to
format but it shows only 127 GIGS out of 465GIGS

ran chkdsk again and it now says it cannot read the drive because
it is a RAM drive.

---------------------------
OK Heres one for the books
Long lost drive would not format using chkdsk or disk manager..
Tried Puppy.. Puppy would not recognize it
Went back to windows.. drive shows in My Computer
so I started manually erasing files.. till there aren't any left
Its a 465gig drive .. My Computer says there is only 121Gigs free
Did a right click on the drive letter and I see that format is in the list
Click on format.. since regular formatting did not work I tried Quick Format
and viola! instant hard drive all 465gigs in NTFS format..
Drive Seems fine now
Go figure......
--------------------------
 :'( Spoke too soon
Drive worked for a little while then went back to being
inoperable .. I give up!
---------------------------

[Philo]

Wow, what a posting this has been to follow.

Epic anti-virus win!

Sorry, just had to throw that in there as I've been following this from the beginning.

[Lynn210]

Things seem to be working ok now.. haven't checked everything

I sure have learned alot here!! especially from Edifyguy
So have alot of other people following this journey I am sure.
Thanks Edifyguy!!

Thanks to all others who assisted.

What I would like to know now is the best setting for my Avast
software to help prevent this kind of thing.

 .. I need two computers on a medium range security
and the other on a high range of security..
At the same time I do not want my browsers to slow down to a
crawl..

I have tried many many antivirus software programs and so far Avast
is the fastest.. least invasive.. and most user friendly I have found.

[edifyguy]

Try "long lost" again in Puppy now that you've reformatted it in Windows. Also, plug it in and wait a bit. The hardware engine doesn't scan constantly, only every 6 secs or so, to save CPU usage. If you can't get an icon, there's another way to see what letter it is.

I suspect that the thing is physically going bad, so you should go radical on it. Do this in a console after Puppy boots, before you plug in "long lost":

ls /dev/sd*

It will give you a list of drives and partitions in Linux naming convention.

Plug in "long lost" and wait 30 seconds. Run the command again. You SHOULD have a new drive, eg. sdc even if you don't have a new partition eg. sdc1 as there may be a problem with the partition structure on it. That would prevent Puppy from showing it as an icon, since it doesn't list icons for hard drives, just hard drive partitions.

Now that you've determined the drive's linux name manually, you can proceed with my previous recovery method, eg. dd then gparted.

You may have a dead drive still after all's said and done, but it won't take much of your time to do. And, of course, you can at least still access the Internet in Puppy, so all's not lost for usability while you do it.

Glad to have been of assistance. You owe me lunch next time I'm in Florida. 

[Omega40]

It was spell-binding to watch the goings on over this and I want to offer a big congrats to Lynn210 and edifyguy for diligence in pursuing and eradicating this horrific virus!

<3 to all..

[Zyndstoff (aka Steven Gail)]

It was spell-binding to watch the goings on over this and I want to offer a big congrats to Lynn210 and edifyguy for diligence in pursuing and eradicating this horrific virus!

<3 to all..

Yeah, it was a thriller and some awsome performances! Congrats, even though I am not sure if it hadn't been wiser to just reinstall Win. Can you trust a system that had been compromised that deep? Somehow I doubt that. I wouldn't trust it and hesitate to do banking and things like that on the system.
But, nevertheless, Edifyguy did some great work on this, and Lynn210 was just wonderful to hang in there. Again:
Hats off! Great Job!
 

[edifyguy]

It was spell-binding to watch the goings on over this and I want to offer a big congrats to Lynn210 and edifyguy for diligence in pursuing and eradicating this horrific virus!

<3 to all..

Yeah, it was a thriller and some awsome performances! Congrats, even though I am not sure if it hadn't been wiser to just reinstall Win. Can you trust a system that had been compromised that deep? Somehow I doubt that. I wouldn't trust it and hesitate to do banking and things like that on the system.
But, nevertheless, Edifyguy did some great work on this, and Lynn210 was just wonderful to hang in there. Again:
Hats off! Great Job!
 

Thank you, all. I like putting out fires....at least, I do it an awful lot. 

As for trust, yes, I think you can, after awhile. As time goes on, anti-crap utilities will get more up-to-date as regards older viruses, and the remaining pieces will be scoured off. I think she's already got it to a level of cleanliness where I would trust it. However, waiting for a few more weeks and scanning every few days in the meantime would be the cautious approach.

Glad to have been of assistance.

[Tarq57]

Well done all round!
That was darned interesting.