Thursday, October 20

New virus out now?

This week I have seen some freaky things happen with computers, and I really am starting to suspect a virus, one out in the wild that hasn't been picked up yet.

I started with Deb's computer, which had a rootkit installed at one point. Another friend of hers looked at it, and thought he had cleaned it pretty well. I had a look at it, and scanned, and cleaned, and scanned and cleaned it some more. I knew something was up, as I was still getting popups on the computer, even though Lavasoft's Adaware, Spybot Search & Destroy and Microsoft's AntiSpyware. Usually just the combination of Adaware and Spybot is enough to blow all the crap out of a system. So I have to admit at this point something was installed and running (I couldn't find anything out of the ordinary, except for the FTP, Web and Telnet services that the rootkit had installed and running, which I had shut off) that wasn't showing up in the process list, nor anything that was out of bounds that was being shown in the autoruns program that usually finds everything that starts up. Although I just now checked, and I ran version 7.0, and they are already up to 8.22. Hmmmm. Not good. OK, I updated that program, both on my machine, and on my flash drive. Going to have to update the other machines as well.

Boy, have I missed out on some changes. Eek!

By the time I finally got back to the machine, with the latest/greatest Microsoft malware removal program and a security scanner program, the machine had gotten hosed. The problem was a corrupted registry. Video was screwed, and as I found out later, I couldn't even install software. She was running Goback, and I noticed as I kept trying to roll back her computer, that at one point, when nobody was actually home, the computer had started to reboot every 10 minutes, reminding me of the Zotob virus. I had the machine spontaneously reboot on me a couple of times, once, just by trying to exit a DOS window screen. Going back as far as I could, I couldn't get a valid copy of the registry. No ERD (which is problematic anyways, since an ERD by that time would have exceeded the size of a floppy). Reinstalling Windows isn't an option, because of Goback (which does something with the MBR), and uninstalling Goback (which I've done before) isn't an option because the registry is corrupted. The only option that I now see is to install Windows on a new hard drive (I've got a 11 gigger that I'm going to use), get Goback installed so that I can get access to the former boot drive (and probably uninstall it while I'm at it), install CD/DVD writer software and copy the data off the courrupted disk onto DVDs, put the original hard drive back the way it was, and reformat and reinstall. The other guy has said something about a corporate version of Windows 2000 having problems, but there is no corporate version of 2000 like there is XP. So I don't know what that's about.

Now a datapoint of one doesn't mean squat. But today, while I had lunch at a Krystal's, a maintenance guy from corporate was having problems with his laptop. I offered to take a look, and his laptop wasn't booting correctly. It was going off about an error in the registry (gee, that sounds familiar) and dumping memory to the hard drive. I tried a couple of different ways to reboot it, and it just wouldn't work. I told him he needed to send it back to Corporate and have them figure out was wrong with it, or at the very least reimage the hard drive (most likely).

Then a co-worker of The_Rose's called. His XP laptop was having the same exact problem. Now, there does seem to be a way to fix this. Microsoft has some KB articles on this (which I'm going to list for archival purposes).

How to recover from a corrupted registry that prevents Windows XP from starting
How to back up, edit, and restore the registry in Windows XP and Windows Server 2003
How to gain access to the System Volume Information folder
Microsoft: Windows XP Pro FAQ - Tek-Tips - Cannot Boot Windows due to Corrupt Registry
How to troubleshoot registry corruption issues

Am I just running into a coincidence of errors, or is there something out there that is wreaking all this havok?