Windows decimated by a trojan

[Digideath]

So I have/had a peach of a virus and its destroying my windows install. I know youd think that I should just reinstall windows but it's not that simple. As was confirmed by using sfc scannow, this virus appears to have altered a shit ton of files and I dont know how far its spread or what it's doing.

 

It started with weird behaviour from my computer. For example, something was using a single thread of my cpu, flat out but every time I brought up task manager, it would stop. If I closed task manager, it would start back up after a few mins. So whatever it was, it was avoiding task manager. 

It was gut instinct. I knew I had a virus. So I began running scans. The first one, windows defender, found nothing. The second was malwarebytes and it found 11 entries related to a trojan. I cant remember what trojan off the top of my head but I quarantined the lot of it.

 

Straight away I noticed certain apps and windows panels were broken. For example my creative media player is broken. The album pane and the track list pane are blank. If I right click on them the app shuts down. I've tried reinstalling it but it doesnt fix it.

Task manager is broken. I'm getting no data. Just blank panes. If I try to click on a tab or menu option, it crashes and shuts down.

Windows update is broken. It's being forced disabled. It's the windows update service you see. It's been locked at disabled. I tried to manually enable the service but it jumps back to disabled the minute I click apply. So something is blocking me from turning on windows updates.

 

Seeing all that i decided to run sfc scannow. It was a gut feeling again. It found hundreds of files it classed as corrupt and replaced them. So that was hundreds of files altered or damaged in some way by the virus.

 

Is there any scan you could recommend to check if the virus is def gone? I just have this feeling that something is still working against me.

 

Also is there any way to fix the damage that's been done? I know it's a long shot but I would rather repair than reinstall.

[EpiCheeseTime]

If you haven't, unplug it from your network or take it off the wifi to prevent spread. 

 

Have you looked at if you had a windows recovery from before the attack? I honestly would get a new flash drive, put all the important files on it and do a fresh install. Do not plug that flash drive into your computer AT ALL. Treat these as if they have the virus and only use it to rebuild them or scan the ever living hell out of them on an old system or one that is not on the network. Just in case they have any trace of the virus left over.

 

I would treat the HDDs/SSDs as infected to the core. Some virus are able to stick around even after a fresh install, but it is worth a shot to start fresh or do a roll back.

 

[Digideath]

2 minutes ago, EpiCheeseTime said:

If you haven't, unplug it from your network or take it off the wifi to prevent spread. 

 

Have you looked at if you had a windows recovery from before the attack? I honestly would get a new flash drive, put all the important files on it and do a fresh install. Do not plug that flash drive into your computer AT ALL. Treat these as if they have the virus and only use it to rebuild them or scan the ever living hell out of them on an old system or one that is not on the network. Just in case they have any trace of the virus left over.

 

I would treat the HDDs/SSDs as infected to the core. Some virus are able to stick around even after a fresh install, but it is worth a shot to start fresh or do a roll back.

 

I forgot to say. My restore points have all been wiped. Including the ones I created myself. I cant roll back the system.

I can reinstall and I have an old spare computer I can do scans on. I have 2 drives I will need to isolate because of this.

Its offline atm. My computer is actually shut down. I'm on my phone atm. I'll keep it offline. I want to run more scans. Can you recommend a good free scanner?

[EpiCheeseTime]

Free...no, paid yes.

My company personally use Sophos and it is worth it in my opinion. It helped me find ground 0 on several crypto attacks that happened to other companies. If it is that important, I would spend the money to get it back. If it isn't that important...rebuild.

 

Also, do you know where you got it from. You can help other by releasing where it came from. Most antivirus places really appreciate new virus findings being publicized rather than swept under the rug.

[Digideath]

16 minutes ago, EpiCheeseTime said:

Free...no, paid yes.

My company personally use Sophos and it is worth it in my opinion. It helped me find ground 0 on several crypto attacks that happened to other companies. If it is that important, I would spend the money to get it back. If it isn't that important...rebuild.

 

Also, do you know where you got it from. You can help other by releasing where it came from. Most antivirus places really appreciate new virus findings being publicized rather than swept under the rug.

 

The only thing I can think of was I was on an anime site a month ago. It had some pretty aggressive fake ad pop ups. Apart from that, all I use my computer for is steam, youtube videos and my audio creation software.

[EpiCheeseTime]

Crunchy Roll? Dont say it was that. I'll cry.

 

I would also start looking at back ups potentially. Not windows recovery, but potentially using that old PC of yours as a NAS of some sort for rudunant file storage. Or dropbox, or something that you have at least something to fall back on.

 

I personally have an external HDD that is in a firesafe, a NAS that pushes all files to my dropbox every Friday. Some say overkill, I say I have my data backed up lol.

[Digideath]

On 11/30/2020 at 3:12 PM, EpiCheeseTime said:

Crunchy Roll? Dont say it was that. I'll cry.

 

I would also start looking at back ups potentially. Not windows recovery, but potentially using that old PC of yours as a NAS of some sort for rudunant file storage. Or dropbox, or something that you have at least something to fall back on.

 

I personally have an external HDD that is in a firesafe, a NAS that pushes all files to my dropbox every Friday. Some say overkill, I say I have my data backed up lol.

 

Sorry I was as long. I've been buisy working on this.

 

No it wasnt crunchy roll lol. It was wcostream. Watch cartoons online.

 

I've sat with both computers up, working away on this.

First off the virus I had was multiple infections. 2 Trojans and 3 pups. I believe the main infection was a bitcoin miner. Identified as trojan.bitcoin.miner. The rest I believe was used to open up my system and compromise it.

 

My data. For a start I have a 2tb hdd dedicated to steam only. I have over 100 games installed on it. I hooked the drive to my old pc and ran multiple virus scans on it, which passed every one.  I then used the steam integrity checker to check the integrity of all installed games. Everything passed. Nothing had been altered. So as far as I'm concerned this drive is safe to use.

 

I have a 2tb external. I backed up my main data to this drive. I've had it on the old computer running virus scans and it's coming back clear. I've even opened numerous files in an attempt to try and catch it out but everything checks out ok. I'm going to take the risk and use this data. I think it's safe. It's just a windows install so I have nothing to loose by trying.

 

Btw in both instances, my old computer has been virus free and still is. It didnt end up infected. Also my newer main pc has been infection free since I did malwarebytes and scannow. The infection hasn't came back. But I'm going to reinstall windows anyway because my os is damaged.

[Vishera]

STOP USING THE DRIVE!

Only use it to extract data from it,and make sure to be careful and sandbox all of the data extracted.

Then erase the drive completely.

[Digideath]

3 minutes ago, Vishera said:

STOP USING THE DRIVE!

Only use it to extract data from it,and make sure to be careful and sandbox all of the data extracted.

 

Away. It's all just a bunch of paranoid nonsense. The drives are fine. The steam one in particular. I've verified that all files are original and haven't been modified.

Remember I know how to detect this virus using scanners and I can confirm it hasent came back on my main system or my old system.

[Vishera]

Just now, Digideath said:

 

Away. It's all just a bunch of paranoid nonsense. The drives are fine. The steam one in particular. I've verified that all files are original and haven't been modified.

Remember I know how to detect this virus using scanners and I can confirm it hasent came back on my main system or my old system.

I will tell you something,I had an infection in 2011,while i managed to remove the virus and replace corrupted files,

I am still afraid and suspects that there are infected files left,even after i scanned the drive with 5 different Anti-Virus solutions.

So i am very careful with opening files that were in that drive,and i have never had an infection since.

[Digideath]

7 hours ago, Vishera said:

I will tell you something,I had an infection in 2011,while i managed to remove the virus and replace corrupted files,

I am still afraid and suspects that there are infected files left,even after i scanned the drive with 5 different Anti-Virus solutions.

So i am very careful with opening files that were in that drive,and i have never had an infection since.

I will tell you something. I have reset windows and am back up and running with all drives and all my data is back in place. Im using it just now. And guess what. No virus. It hasn't came back. Like i knew it wouldn't. One of the trojans was a win32 virus. It basically infects your os. But only your os. Fyi most of the files i dug out and killed were in the c:\windows\system32 folder.