2014-09-14

Malware or Broken Windows Vista Install? Symptoms and Chronology

Case Study a Possible Virus / Windows Vista Failure

I have been retained to remove a Windows virus. Here are some notes to assist others.

A Windows Vista computer with all patches applied regularly exhibits these symptoms while booted fully:

  • Browser connections time out 
  • Nothing can be installed as the shell has been taken over (.EXE launches produce an error message) 
  • AVI 2004 had been disabled but was re-enabled and is "working" 
  • The network is working: local and WAN pings succeed
  • Email traffic is normal 
What's been tried so far: 
  • Restore failed. This could be a Windows issue particular to this machine, or possibly one caused by the malware. Detailed logs were not examined as the problem predated the infection.
  • Booting into Safe mode allowed for AVG 2014 to be re-enabled, both while in Safe Mode and upon return to normal mode 
  • Malwarebytes found no errors in Safe Mode, but did hang after scanning about 28,000 objects 
  • Hitmanpro ran to completion with Malwarebytes disabled and did not find any errors.
  • The shell open registry keys were checked, and they are OK (recall that EXE's can be run in safe mode)
The symptoms are evident during full Windows mode, not safe mode. 

Strategy

I used some of the tactics used by William Rowland (Jan 2013), though the Safe mode block reported there is not one of the symptoms for this attack.

Result 

None of the safe mode tools proposed by W.R. turned up anything definitive. There were additional suggested tests that might have been fruitful, but as mentioned, running on "unsafe" mode was not possible -- especially Windows repair solutions -- none of which could be run in the operable safe mode.

A time-consuming Windows reinstallation was the only alternative.

No comments: