Impossible new virus

Question

Possible Duplicate:
What to do if my computer is infected by a virus or a malware?

I have been hit by an absolutely impossible new virus. Only in the past 3 months or so the internet has become covered in this aggressive new virus. My system has been hit 5 times in only one month! Its been expensive since Microsoft no longer provide original disks with laptop purchase.

For many years I have removed occasional viruses that infect my computer. But these incidents have been fairly rare. And if things get difficult you resolve the issue with a complete reinstall. But this new virus has been the most difficult I have ever come across and even reinstall has not worked [non-disk reinstall].

Scans discoevered Mazbet, APPL.nircmd - but I think these are aliases the virus uses.

None, NONE, of the virus software can detect and remove it. I have so far tried Norton, MacAfee, Kaspersky, AVG, Combofix, and more and nothing works. The virus even remain active in safe boot. And on reinstall it STILL stays on. MS doesn't provide original disks anymore. New laptops comes with partitioned drives with boot feature - but with this virus its impossible to do a complete reinstall without disks.

The virus has now become so bad it has transferred itself to my external drive and my partition drive. I can identify it by the locked System Volume Information folders it creates in every drive and the desktop.ini that starts to appear in almost all main folders. Gradually over the span of several days it starts to work by locking you out of more and more system folders, and then causing massive problems.

HOW IT INFECTS YOUR COMPUTER

The way this virus infects the computer is from images on google. I got it when I was looking at a picture in a Google search and clicked to enlarge it. Immediately I was given a message a "virus-scan" was being done on my system. The webaddresses where this virus originates from usually end with a cc or cn. However, this message is fake and there is no way for you to stop this 'scan' [download]. Its done automatically and it goes fast. It doesn't give an option for you to close out. You have to immediately shut down your computer before it manages to install itself because you can't stop it [I stopped a friends computer from the same infection by shutting it off].

After it infects your system, it either copies or hijacks a new System Volume Information folder (locked). This creates a $RECYCLE.BIN folder with desktop.ini files. Once it is well infected you get messages on shut down: it says your windows updates are being optimized. This takes forever. Its not; its the virus and you need to force a shut down even when it looks like it is already on the way of shutting down or it hijacks even more system drives. On restart it again gives a similar message that it is initializing your windows updates. These are fake windows messages.

The desktop.ini files act like a hydra: everytime you delete any of these, they reappear. The files it creates will carry different dates and not necessary the current dates. One had a date going back to 2007. So doing a restore to another date doesn't help. The longer the virus remain untouched the more damage it starts to do. Eventually it will cause constant problems with your system and begin to hide folders and the recycle bin for you - and eventually, crash your entire drive. But this can take days. It works gradually.

All I know is that I tried to reinstall a new system five times with the last attack I had and still had problems with this virus.

DOES ANYONE KNOW WHAT THIS VIRUS IS AND HOW TO PERMANENTLY GET RID OF IT FROM ALL DRIVES INCLUDING EXTERNAL DRIVE??

Ignacio: that doesn't solve removing it from external drives where all my files are in. — Ben, Jul 08 '11 at 09:16
Come on, it's easy to suggest using Linux. But the real problem is a different one, namely removing the virus. — slhck, Jul 08 '11 at 09:20
Can you email me a link? I have sen the fake virus picture - but - it always requires a manual stage such as confirming/downloading... I wouldn't mind investigating. — William Hilsum, Jul 08 '11 at 10:22
Millions duped in poisoned Google Image attack: “In just one month, this campaign was able to redirect nearly 300 million hits from 113 million visitors to the malicious landing pages,” Trend Micro explained: http://www.itpro.co.uk/633436/millions-duped-in-poisoned-google-image-attack — Ben, Jul 08 '11 at 10:29
@Will: Sorry I don't have the link saved anymore. Reported it to google. There are t-o-n-s of them. End in redicted cc or cn address. Chose any image search in google, ex cars, architecture etc and click to enlarge... sooner or later you'll get hijacked. Just make sure u do a forced shut down immediately if you get attacked! — Ben, Jul 08 '11 at 10:32
@ben - I have done this, and, I have been redirected a few times, but, the landing page I have seen requires a manual step. I have not seen an automatic virus infection on a patched system. Have you lowered your default security settings at any time? — William Hilsum, Jul 08 '11 at 10:38
You're identifying the virus infestation by the appearance of the desktop.ini file? They're normal on the computer...that's what a customized view of your Explorer windows creates. — Bart Silverstrim, Jul 08 '11 at 10:42
@Bart: the desktop.ini appearances all over the place is only one of the minor early problems it cause before it escalates. It eventually takes over, locks you out from access to any main system folders and recycle bin and hides them. Then Windows begin to fail to recognize an original copy. One by one it leads to total system crash. The problem is; reinstall doesn't work.... Unless you have external CDs. But laptops now don't come with CDs. — Ben, Jul 08 '11 at 10:48
@Will: when hijack occurs, you can't really shut it off in task manager. Its too fast. So you have to do a forced shut down. I've had firewall etc on but it seems to bypass it. Once it installs, you are blocked access to admin use and system folders. I've never had this much difficulty removing a virus. Last option is usually a complete reinstall - but even this is hard with this one. Hope this info helps. — Ben, Jul 08 '11 at 10:54
Yes, desktop.ini WILL appear all over, @Ben. It appears in each folder Windows Explorer is altering a custom view. — Bart Silverstrim, Jul 08 '11 at 11:01
@Ben: When what is in task manager? What's the name of the process? — Bart Silverstrim, Jul 08 '11 at 11:02
Did you google the names of these files and folders to see how they work and what they're supposed to do? — Bart Silverstrim, Jul 08 '11 at 11:05
Try ESET NOD32, whatever it is called this day. It has the most aggressive heuristic of them all. — mhitza, Jul 08 '11 at 11:28
@Ben: I know desktop.ini is normal. Here is someone else with a similar problem that don't seemed to have been solved: http://www.techsupportforum.com/forums/f217/recycle-bin-and-desktop-ini-virus-321551.html — Ben, Jul 08 '11 at 14:39
@Ben: That tech support forum isn't a virus issue. It's a guy that can't delete those folders and people explaining that they're normal. Again. This isn't a problem. One of the posts was total crap...won't allow you to boot from CD? Corrupts boot managers? Um...no. — Bart Silverstrim, Jul 08 '11 at 14:47
So far your description would be like a Mac user complaining about a virus because he keeps finding ".ds_store" files in directories he browses with his Mac. — Bart Silverstrim, Jul 08 '11 at 14:55
there is so much fail in this question ;-/ -- but i like it. it made my day. — Sirex, Jul 08 '11 at 15:51

Bart Silverstrim · Answer 1 · 2011-07-08T11:14:30.387

I'm not sure what you're describing is the behavior of malware after you already scanned for items. I mean, the desktop.ini file appears whenever you have a custom view of a folder in Explorer; you play with settings, Explorer is going to create them in that folder. It's hidden unless you're looking for hidden folders.

The system volume information folder? That's protected because...well, it's system volume information. It's going to appear on each volume. See http://support.microsoft.com/kb/309531.

You're already scanning with multiple scanners (hopefully they're not all installed at the same time...no wonder your computer would act strange if they were. Antiviruses generally don't play well if there are multiple ones installed; you should pick one and use that one. Heck, some of them don't play well if they're the only ones installed. I can't count the number of times someone had me look at an issue and it was because Symantec or whatever brand they installed was screwing with their email as a proxy or interfering with file access to a non-infected file...) so you should have detected anything out there that's fairly new as long as you're updating the signatures. Generally I have an antivirus scan plus Spybot plus Malwarebytes or Ad-Aware for malware checks. If I want a second opinion I scan a computer with housecall.antivirus.com for another antivirus/malware check straight from the web browser.

If I'm really certain something is screwy, I boot from a boot disk and check with a bootable antivirus CD. There is no way that a virus can remain resident in memory and deceive a scanner if you boot from a boot CD; the only way it wouldn't know is if the signatures don't include something in the library to detect it.

As for your "no discs" issue, that's why Windows includes backup software now. Actually, it's had it for awhile. Make a system backup from a known-good state. Alternatively there is software out there that will image your drive so you can create a disk image from which to restore. Make a backup of your system. Restore it if need be. Periodically make new backups.

Next...what are you running as? You didn't say (that I saw) what OS you're running. Windows XP? 7? If you're running a newer version of Windows, are you running as administrator? Malware can only infect files you have access to. If you're running as administrator, it'll be able to easily infect system files. If you're running as an unprivileged user, executables and such can only copy to your profile and directories you have access to. So for something to completely wreak havoc with your system you need to be running as a privileged user. Bad idea.

What exactly is your system doing that you're thinking it's infected? Just the presence of these hidden files? Odd network traffic? Have you looked at your network connections to see what your system is doing that's unusual, at the router? Have you used tools like Process Explorer and Procmon (part of the Sysinternals suite; googles will tell you more) to identify what your system is doing? If it's just discovering system folders and Explorer settings files, I am leery of the idea that you're actually infected.

If you're truly worried about this then there was the suggestion that you install Linux. Which is free. But it has a learning curve. Bonus: you'll be immune to Winx viruses. Drawback: if you depend on particular Windows software, it probably won't run. You'll have a steep learning curve and probably will have to learn a bit more about how your computer works.

Alternatively you can try something like Deep Freeze to "freeze" your computer's state once it's clean, but you'll also have to actually maintain it with thaw periods for updates and save your data to an external drive.

Alternatively, you can install Linux (or Windows) fresh and then install VirtualBox and do your browsing and work from there. A virtualized Windows session (or whatever OS you install) will act as a sandbox. As long as you keep your system up to date, you can limit damage done by any malware to your virtual system. Again, it's a learning and workflow change to do it, there are some limitations, but for general work if you're really nervous about what can happen sandboxing and monitoring will be a really good way to limit these things.

From your description, though, it really sounds like you're hunting Windows system files that are normal on Windows systems and getting the usual fake scanner notifications from your browser. I'm thinking your system isn't really infected with anything but Windows cruft.

When hijack occurs, you can't really shut it off in task manager. Its too fast. So you have to do a forced shut down. I've had firewall etc on but it seems to bypass it. Once it installs, you are blocked access to admin use and system folders. On shut down it gives a maessage that Windows is being updated. After that your recycle bin and system folder is blocked from access and hidden. As it progress windows give error messages, the entire system crashes. Hope this info helps. Sorry can't use Linux. Not compatible. PS: No, I don't run all virus programs simultaneously! Thnx. — Ben, Jul 08 '11 at 11:20
But *what* is showing up in task manager to shut down and running too fast? What is the name of the process? — Bart Silverstrim, Jul 08 '11 at 11:33
What what do you mean it's blocking admin use? Like you can't log in as an administrative user, it's giving you a file or folder is in use or has a permission error (if it has an open file handle it may block certain file access, that's normal)...? Recycle bin folders *are* hidden. Again, that's normal. Some system folders like the one I gave in my answer *are* hidden. Because they're system folders. Users aren't supposed to get into them. — Bart Silverstrim, Jul 08 '11 at 11:35
And what error messages are you getting? You said it gives error messages and crashes. What's in the system log? Perhaps knowing the actual error messages would track down what's happening. — Bart Silverstrim, Jul 08 '11 at 11:35
@Ben, seriously, slow down and provide details. It's quite apparent that you have *many* misconceptions as to how things work (or should work). You *may* be infected with a virus, but you certainly have **not** shown any details or evidence thereof. — Chris S, Jul 08 '11 at 15:08
I left the comp with tech support today. They called to say its certainly infected. They're trying to save some of my files. Some of you are not reading the explanation: the virus downloads so fast you CANNOT cancel the download via task manager. I have never had problems removing viruses in the past. It hasn't been a big deal. This one is a big deal and locks and hides folders that are usually accessible AND visible, somehow corrupts the bootup, and adds duplicates RECYCLE.BIN/SYS VOL INFO/DESKTOP.INI all over before locking n'hide visible folders and all access to them. Also hides Start menu — Ben, Jul 08 '11 at 22:25
You wouldn't cancel it via task manager. Task manager lists running processes. I've been asking you what the *name of the process* is you are saying is the executable causing your issues. — Bart Silverstrim, Jul 09 '11 at 00:29
Either you're not clearly explaining what's happening or you're about to get ripped off by a tech company who's charging to reinstall Windows for you. Either way as long as you're happy I guess that's all that's important. — Bart Silverstrim, Jul 09 '11 at 00:30

score 3 · Answer 2 · answered Jul 08 '11 at 09:50

It sounds like you're probably running into the malware described here: http://cleanbytes.net/google-images-redirecting-to-a-new-virus

From a quick googling, I didn't find anything specific about how to remove it, although http://www.google.com/support/forum/p/Web%20Search/thread?tid=6df7e15519290612&hl=en has a list of malware removal forums which may be able to help.

My main suggestion for avoiding it in the future would be to use Firefox with the NoScript plugin, which will prevent sites from running any type of active content in your browser unless you've whitelisted that specific site. By preventing this attack from running its JavaScript payload, that should prevent it from infecting your system.

score 2 · Answer 3 · answered Jul 08 '11 at 15:20

I'm laughing.

desktop.ini files are created in any folder you have set view preferences for. System Volume Information folders are be default created on every drive in Windows.

Neither of these symptoms are viral in nature. If someone told you they were viral, they were playing cruel prank on you.

To make this "virus" go away, in a My Computer window, go to Tools -> Folder Options. In the View tab: - Select "Do not show hidden files and folders" - Uncheck "Display the contents of system folders" - Check "Hide protected operating system files (Recommended)"

This will hide the desktop.ini files and the System volume information folders.

The only infection you did describe was a standard fake antivirus malware, which are not usually too difficult to remove.

Download the install Malware Bytes AntiMalware and run it in safemode.

Or, if you have a second computer you can connect your hard drives to as secondary or slave drives, do this and scan them from there. Once the safemode or slaved drive scan is complete, connect the drives to their normal computer or boot into normal mode and run the Malware Bytes full scan again to get any leftovers.

You make several vague references to other system issues you believe are related to this infection. Providing more detail on what these other issues are may clue us in to what sort of real infection you actually have. Just remember. desktop.ini and System Volume Information files and directories are not indicative of a virus at all.

score 1 · Answer 4 · answered Jul 08 '11 at 11:54

I used this Rescue CD and it helped me out. Hope it will do the same with you. Here are some feature of this you will find on link also.
A comprehensive administration toolkit.
System recovery from virus and spyware infections.
Adaptability for the recovery of both MS Windows and Linux operating systems (FAT32 and NTFS file systems).
Ability to perform a clean boot from a CD or USB stick.

score 1 · Answer 5 · edited Mar 20 '17 at 10:16

1

See my post here, go to the EDIT section at the bottom and download the Microsoft Safety Scanner Software to a clean PC, run the software and make the bootable CD or thumbdrive, boot from this on the infected PC and do a Full scan, remove anything it finds.

edited Mar 20 '17 at 10:16

Community

1

answered Jul 08 '11 at 14:28

Moab

58,044
21
113
176

Impossible new virus

5 Answers5

Linked