Saturday, September 24, 2011

It looks like I have conquered the virus. Bob used the machine all last evening with only minor issues. Right now I am doing a defrag and then will create a restore point.

If you have landed here because you have a rootkit virus; are searching because your tcpip.sys (or apparently another .sys file) has been destroyed; you cannot connect to the Internet due to a virus; are getting an error message when you try to repair your network connection (such as "theTCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified"); avast (or your other virus checker) is disabled and will not turn on or repair; icons have vanished on your desktop or various system files are missing from your computer; the result is a freeze or impossibly slow response when you try to open network connections in control panel; the machine won't roll your computer back to a restore point; and/or you are getting low virtual memory error messages, you may be a redneck. No, only kidding. You may have come to the right place!

Read this. It's very helpful, sort of a general overview. There are lots of other fascinating materials at that site that explain the history of malware, various recent exotic threats, etc., if you are interested in reading more on the subject.

I have other computers that I can use to search and download tools; if you do not, take a flash drive somewhere and download all the tools you need. Even if you have one or more of these already installed, download a new version instead of relying on what's already on there. I downloaded the latest version of avast, also the avast removal tool to get rid of the compromised version that was installed [and I then installed the updated avast last, after getting rid of the virus], malwarebytes, kapersky anti virus, cc cleaner, combofix, copied them to a flash drive, booted into safe mode, and ran each one. (I also tried sophos, and what it found was right on, but you will have to google each file it finds that is suspicious but not automatically flagged to be sure it is OK to remove, and I think combofix may take care of that automatically.) A couple of the anti-virus checkers had to reboot and run in regular mode, and I allowed it.

It took me two days to solve -- the first was mostly shots in the dark, since I did not really know what to hunt for, hit a bunch of dead ends, and feared that a reformat/recovery/reinstall was going to be necessary (and naturally I cannot find the recovery disk so would need to buy one and wait for it to come...price with shipping, $50...maybe better to invest those funds in a new cheapie laptop instead? And I noticed lots of scary things in searches suggesting the virus might survive even wiping the machine...not sure if that is true, btw, lots of junk information out there) until I arrived at a partial solution that restored network connectivity (using steps 11-19 posted by hublerb in this thread), but did not remove the virus.

However, once I reinstalled avast in that state, I immediately was alerted that a virus was found, and what it was (although it could not be removed and it disabled avast and network connectivity again). So the second day I had that piece of information to go on, and arrived at the fix. Good luck!

Later: I should add that I decided to switch (on the laptop only) to avg anti-virus from avast, since the virus got through and avast kept getting disabled.

Still Later: The virus, or I think more likely everything that I did to wipe it out also lost the file associations in Bob's log on (not mine). So I used this to restore them.

And still later: Bob tells me that his log on was messed up long before the virus took hold, and he had been using mine. So that might not have been part of this, or might have been the first warning signal. (Although I believe we got it on Tuesday, so maybe not.) Regardless, it is all fixed and working fine now.

No comments: