Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Really nasty virus, help
New Posts  All Forums:Forum Nav:

Really nasty virus, help

post #1 of 24
Thread Starter 
It all started when avast! detected a "service" as a malware, I deleted it, and that was all.

Two days later, I turned on the PC and I noticed it was really slow at the start-up. After a couple of restarts I proceeded to boot in Safety Mode and ran CCleaner for the registry, no luck.


When I logged in I saw my audio was disabled, it was the Windows Audio Service that was like this, and I couldn't start it manually.

Then other services started to shut off as well.. When I saw the Windows Security Server down I started to worry even more.


So I attempted to Restore the system to a previous point. At the end I got a "Restore Point has failed, because blah, blah, system has not been restored nor any files".


I started the PC with minimal services and it booted with no problems, then I did the same but only enabling Microsoft Services and the problems started. At this point I knew there was a MS Service causing the issues.
I remembered Malwarebytes had served me well in the past, so I ran it, and it finds 1 infection called "CryptSvc", I later found out that this is the MS Encryption Service, which is pretty important for a lot of Windows functions.

So, there is something wrong with this service but I don't know what it is. Anyway, I deleted this "infection" and restarted the PC with all normal services, and it worked like a charm. Later I restarted the PC for some reason and when I logged in, there it was again, the problem with services.

This time it was worse because now Windows didn't let me activate an Antivirus solution (avast!), it just doesn't work. I ran malwarebytes and there it was again, the "CryptSvc" infected service.


I attempted to Restore the system again, always getting the same error I mentioned above. I was going for it one more time, when I opened System Restore there were no previous points! All gone, not even one.


I want to mention that along all this process I did several chk disk too.


At this point I'm backing all my stuff and preparing for formatting. What really pisses me off is the fact that I'm probably going to lose my Windows license, as I got it from the MSDN Student Program, so I believe I can't use the same key twice.



I'd appreciate any help. Especially if someone knows of a way to keep my license while eliminating the virus.


I'm sorry for the post being so long, and it's probably incoherent too. Haven't slept in hours troubleshooting this. My Windows is not in English so I may have translated some components' names wrong.


Thanks.
Just "PC"
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K @ 4.3GHz - 1.15v GIGABYTE GA-Z77X-UD3H Zotac GTX 970 AMP! Extreme Core @ 1430+/7500 MHz Corsair Vengeance 16GB(4x4) @ 1600MHz 
Hard DriveHard DriveOptical DriveCooling
SanDisk Ultra II 480GB WD CB 1TB 7200RPM DVD-RW CM Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 Pro x64 AOC 22" 1080p + SONY TV 32" 1080p CM Storm QuickFire Pro (Brown switches) Corsair TX 650 V2 650W 
CaseMouseMouse PadAudio
CM Storm Enforcer Roccat KPM SteelSeries QCK+ Fiio E10K 
AudioAudioAudioOther
ASUS Xonar DG Samson SR850 Headphones Logitech LS11 2.0 Speakers CyberPower CP1500PFCLCD UPS 
  hide details  
Reply
Just "PC"
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K @ 4.3GHz - 1.15v GIGABYTE GA-Z77X-UD3H Zotac GTX 970 AMP! Extreme Core @ 1430+/7500 MHz Corsair Vengeance 16GB(4x4) @ 1600MHz 
Hard DriveHard DriveOptical DriveCooling
SanDisk Ultra II 480GB WD CB 1TB 7200RPM DVD-RW CM Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 Pro x64 AOC 22" 1080p + SONY TV 32" 1080p CM Storm QuickFire Pro (Brown switches) Corsair TX 650 V2 650W 
CaseMouseMouse PadAudio
CM Storm Enforcer Roccat KPM SteelSeries QCK+ Fiio E10K 
AudioAudioAudioOther
ASUS Xonar DG Samson SR850 Headphones Logitech LS11 2.0 Speakers CyberPower CP1500PFCLCD UPS 
  hide details  
Reply
post #2 of 24
I used to get my stuff through MSDN, all you have to do is request another key from them. I used to do this multiple times to have multiple keys for Windows 7. You will have to contact the person in charge of handing out these keys i.e. head of IT or Computer Science, as it was for me. I'd say your best bet is to do a fresh install of Windows, I am a proud and supportive user of MalwareBytes, so if that didn't catch it, it has got to be something serious, not your normal rootkit. Sometimes you will have to use MalwareBytes to remove the virus, then reboot, then run it again immediately to get rid of it again, this sometimes can permanently fix it. If all else fails...reinstall.
Jetstream
(21 items)
 
Sager 6165
(8 items)
 
 
CPUGraphicsRAMHard Drive
Intel i7 3930m nvidia gt650m 8gb ddr3 1600mhz 160gb intel ssd 
Hard DriveOptical DriveOSMonitor
toshiba 500gb 7200rpm cd/dvd rw w7 64 1080p matte 95% color gamut 
  hide details  
Reply
Jetstream
(21 items)
 
Sager 6165
(8 items)
 
 
CPUGraphicsRAMHard Drive
Intel i7 3930m nvidia gt650m 8gb ddr3 1600mhz 160gb intel ssd 
Hard DriveOptical DriveOSMonitor
toshiba 500gb 7200rpm cd/dvd rw w7 64 1080p matte 95% color gamut 
  hide details  
Reply
post #3 of 24
I agree, a format seems like the only way your gonna fix this issue now, and youll have to get a new win 7 license from your IT connection. if you would have caught it sooner, tdss killer and commodo cleaning essentials might have gotten that rootkit but it seems like your OS is completely borked now.
 
Beautiful HoRyzen
(19 items)
 
 
CPUMotherboardGraphicsRAM
Ryzen 7 1700x Gigabyte Auros ax370 gaming 5 gigabyte geforce gtx 1080 ti gaming Crucial Ballistix Tactical ddr4-3000 
Hard DriveHard DriveOptical DriveCooling
Seagate Barracuda 4TB crucial mx300 m2 Asus dvd rw corsair h100i 
CoolingCoolingOSMonitor
corsair af120 corsair af 120 windows 10 pro 64 bit asus vw 246h 
MonitorKeyboardPowerCase
aoc 2236vw corsair k40 corsair rm750x corsair graphite 760t arctic white 
MouseMouse PadAudio
corsair sabre rgb razer vespula altec lansing ocatne 7 
CPUMotherboardGraphicsRAM
Core 2 Duo g72gx-rbbx05 gtx 260m Nanya PC2-6400 
Hard DriveHard DriveOptical DriveOS
G Skill 64 GB SSD Western Digital Scorpio Black HL-DVD-RW Windows 7 Home Premium 
MouseAudio
Razer Lachesis 4000 DPI Onboard Altec Lansing 
  hide details  
Reply
 
Beautiful HoRyzen
(19 items)
 
 
CPUMotherboardGraphicsRAM
Ryzen 7 1700x Gigabyte Auros ax370 gaming 5 gigabyte geforce gtx 1080 ti gaming Crucial Ballistix Tactical ddr4-3000 
Hard DriveHard DriveOptical DriveCooling
Seagate Barracuda 4TB crucial mx300 m2 Asus dvd rw corsair h100i 
CoolingCoolingOSMonitor
corsair af120 corsair af 120 windows 10 pro 64 bit asus vw 246h 
MonitorKeyboardPowerCase
aoc 2236vw corsair k40 corsair rm750x corsair graphite 760t arctic white 
MouseMouse PadAudio
corsair sabre rgb razer vespula altec lansing ocatne 7 
CPUMotherboardGraphicsRAM
Core 2 Duo g72gx-rbbx05 gtx 260m Nanya PC2-6400 
Hard DriveHard DriveOptical DriveOS
G Skill 64 GB SSD Western Digital Scorpio Black HL-DVD-RW Windows 7 Home Premium 
MouseAudio
Razer Lachesis 4000 DPI Onboard Altec Lansing 
  hide details  
Reply
post #4 of 24
Could try a repair install

http://www.sevenforums.com/tutorials/3413-repair-install.html


You also might see if you can repair the service manually
Code:
net stop cryptsvc
cd %systemroot%\system32
ren catroot2 catroot2old
net start cryptsvc

If either of these work, you're still going to want to thoroughly clean that system.
Edited by W4LNUT5 - 5/15/13 at 4:35pm
    
CPUMotherboardGraphicsRAM
I5-2500k 4.8Ghz @ 1.38v Z68X-UD4-B3 PNY 480 8GB Dominator 1600's 
Hard DriveOptical DriveOSMonitor
Intel 510 + 300GB Velociraptor LG DVD RW Server 2012 HP 25" + HP 20" 
KeyboardPowerCaseMouse
Deck Legend TX850W XClio Coolbox Mamba 
Mouse PadAudio
Dolica HD550's 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
I5-2500k 4.8Ghz @ 1.38v Z68X-UD4-B3 PNY 480 8GB Dominator 1600's 
Hard DriveOptical DriveOSMonitor
Intel 510 + 300GB Velociraptor LG DVD RW Server 2012 HP 25" + HP 20" 
KeyboardPowerCaseMouse
Deck Legend TX850W XClio Coolbox Mamba 
Mouse PadAudio
Dolica HD550's 
  hide details  
Reply
post #5 of 24
If you can still go online try Malware Bytes antimalware or if you cannot go online. Try to burn the ISO AVG rescue CD and boot from that CD that is a powerful virus scanner.
post #6 of 24
Thread Starter 
Quote:
Originally Posted by W4LNUT5 View Post

Could try a repair install

http://www.sevenforums.com/tutorials/3413-repair-install.html


You also might see if you can repair the service manually
Code:
net stop cryptsvc
cd %systemroot%\system32
ren catroot2 catroot2old
net start cryptsvc

If either of these work, you're still going to want to thoroughly clean that system.



Thank you all for the answers.


I'm liking this option. The only thing that worries me is if I need to use the same language. I have the Latinamerican Spanish version of Windows 7 Professional x64, and in that site the version is the Spain variation. What I don't know is if this version includes the variant for latinamerican spanish.

Mmmm...thinking.gif
Just "PC"
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K @ 4.3GHz - 1.15v GIGABYTE GA-Z77X-UD3H Zotac GTX 970 AMP! Extreme Core @ 1430+/7500 MHz Corsair Vengeance 16GB(4x4) @ 1600MHz 
Hard DriveHard DriveOptical DriveCooling
SanDisk Ultra II 480GB WD CB 1TB 7200RPM DVD-RW CM Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 Pro x64 AOC 22" 1080p + SONY TV 32" 1080p CM Storm QuickFire Pro (Brown switches) Corsair TX 650 V2 650W 
CaseMouseMouse PadAudio
CM Storm Enforcer Roccat KPM SteelSeries QCK+ Fiio E10K 
AudioAudioAudioOther
ASUS Xonar DG Samson SR850 Headphones Logitech LS11 2.0 Speakers CyberPower CP1500PFCLCD UPS 
  hide details  
Reply
Just "PC"
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K @ 4.3GHz - 1.15v GIGABYTE GA-Z77X-UD3H Zotac GTX 970 AMP! Extreme Core @ 1430+/7500 MHz Corsair Vengeance 16GB(4x4) @ 1600MHz 
Hard DriveHard DriveOptical DriveCooling
SanDisk Ultra II 480GB WD CB 1TB 7200RPM DVD-RW CM Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 Pro x64 AOC 22" 1080p + SONY TV 32" 1080p CM Storm QuickFire Pro (Brown switches) Corsair TX 650 V2 650W 
CaseMouseMouse PadAudio
CM Storm Enforcer Roccat KPM SteelSeries QCK+ Fiio E10K 
AudioAudioAudioOther
ASUS Xonar DG Samson SR850 Headphones Logitech LS11 2.0 Speakers CyberPower CP1500PFCLCD UPS 
  hide details  
Reply
post #7 of 24
The other option is to try and remove/repair whatever you have and then once you are sure you got it, run an SFC /scannow to repair/replace any system files that may have been missing or infected.
Re"NAS"cent
(9 items)
 
Wife's Machine
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i5-3470 ASRock H61MV-ITX GIGABYTE GeForce GTX 1060 Mini ITX OC 3GB 16GB (2x8GB) PNY DDR3-1600 
Hard DriveHard DriveOSPower
Western Digital RED 6TB  Western Digital RED 1TB UnRaid 6.2.1 Rosewill CAPSTONE-450 
Case
Fractal Design Node 304 
  hide details  
Reply
Re"NAS"cent
(9 items)
 
Wife's Machine
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i5-3470 ASRock H61MV-ITX GIGABYTE GeForce GTX 1060 Mini ITX OC 3GB 16GB (2x8GB) PNY DDR3-1600 
Hard DriveHard DriveOSPower
Western Digital RED 6TB  Western Digital RED 1TB UnRaid 6.2.1 Rosewill CAPSTONE-450 
Case
Fractal Design Node 304 
  hide details  
Reply
post #8 of 24
safe mode, malware bytes from a 2nd computer and install then run on the safe mode computer. or system restore to a previous point. malware bytes saved me so many times, well not me exactly, fixing relatives computers *sighs*
My Rig
(19 items)
 
Rig Contest Build
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3770k Asus P8Z77V-LK Evga Geforce GTX 760 Superclocked AMD RE1600 Entertainment Series 
Hard DriveHard DriveHard DriveHard Drive
Seagate Barracuda Seagate Momentus 2.5 (backup) Western Digital Caviar Black 1tb Western Digital Caviar Blue 1tb  
Hard DriveHard DriveOptical DriveCooling
Western Digital Caviar Blue Samsung 840 EVO LG DVD Super Multi Cooler Master Hyper 212 EVO 
OSOSMonitorKeyboard
Windows 7 Ultimate x64 MacOS X Mountain Lion Insignia 26" Display 1080p Gigabyte KM6150 
PowerCaseAudio
Xigmatek NRP-PC602 Cooler Master HAF 922 Focusrite Scarlett 2i2 Audio Interface 
CPUMotherboardGraphicsRAM
Intel Core i7 3930k Asus Rampage IV Formula evga geforce gtx 660ti 3gb G.skill rip jaws z series 
Hard DriveHard DriveHard DriveHard Drive
WD Caviar Black 2 tb WD Caviar Black 1 tb wd caviar black 2tb we caviar black 1tb 
Optical DriveCoolingMonitorPower
lite on ihbs112-04 Cooler Master Hyper 212 Evo acer s220hqlabd 21.5" Corsair ax850 
Case
Cooler Master Haf 922 
  hide details  
Reply
My Rig
(19 items)
 
Rig Contest Build
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3770k Asus P8Z77V-LK Evga Geforce GTX 760 Superclocked AMD RE1600 Entertainment Series 
Hard DriveHard DriveHard DriveHard Drive
Seagate Barracuda Seagate Momentus 2.5 (backup) Western Digital Caviar Black 1tb Western Digital Caviar Blue 1tb  
Hard DriveHard DriveOptical DriveCooling
Western Digital Caviar Blue Samsung 840 EVO LG DVD Super Multi Cooler Master Hyper 212 EVO 
OSOSMonitorKeyboard
Windows 7 Ultimate x64 MacOS X Mountain Lion Insignia 26" Display 1080p Gigabyte KM6150 
PowerCaseAudio
Xigmatek NRP-PC602 Cooler Master HAF 922 Focusrite Scarlett 2i2 Audio Interface 
CPUMotherboardGraphicsRAM
Intel Core i7 3930k Asus Rampage IV Formula evga geforce gtx 660ti 3gb G.skill rip jaws z series 
Hard DriveHard DriveHard DriveHard Drive
WD Caviar Black 2 tb WD Caviar Black 1 tb wd caviar black 2tb we caviar black 1tb 
Optical DriveCoolingMonitorPower
lite on ihbs112-04 Cooler Master Hyper 212 Evo acer s220hqlabd 21.5" Corsair ax850 
Case
Cooler Master Haf 922 
  hide details  
Reply
post #9 of 24
Thread Starter 
Guys, I logged in into MSDN and I found out that there are 2 editions of W7 Pro, one with the SP1 and the other one without.

The one I'm using now -on the infected PC- is the "without", so I still have left the other edition, they are both different so I can get a new license for the one with the service pack.

Edit:

I'm downloading it now, I can confirm my current serial key is different from this new one biggrin.gif


I'm going for a clean install just in case.


Also, I realized I have Windows 8 available too, but I think I'd rather have no OS than that laughingsmiley.gif
Just "PC"
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K @ 4.3GHz - 1.15v GIGABYTE GA-Z77X-UD3H Zotac GTX 970 AMP! Extreme Core @ 1430+/7500 MHz Corsair Vengeance 16GB(4x4) @ 1600MHz 
Hard DriveHard DriveOptical DriveCooling
SanDisk Ultra II 480GB WD CB 1TB 7200RPM DVD-RW CM Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 Pro x64 AOC 22" 1080p + SONY TV 32" 1080p CM Storm QuickFire Pro (Brown switches) Corsair TX 650 V2 650W 
CaseMouseMouse PadAudio
CM Storm Enforcer Roccat KPM SteelSeries QCK+ Fiio E10K 
AudioAudioAudioOther
ASUS Xonar DG Samson SR850 Headphones Logitech LS11 2.0 Speakers CyberPower CP1500PFCLCD UPS 
  hide details  
Reply
Just "PC"
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570K @ 4.3GHz - 1.15v GIGABYTE GA-Z77X-UD3H Zotac GTX 970 AMP! Extreme Core @ 1430+/7500 MHz Corsair Vengeance 16GB(4x4) @ 1600MHz 
Hard DriveHard DriveOptical DriveCooling
SanDisk Ultra II 480GB WD CB 1TB 7200RPM DVD-RW CM Hyper 212 Evo 
OSMonitorKeyboardPower
Windows 10 Pro x64 AOC 22" 1080p + SONY TV 32" 1080p CM Storm QuickFire Pro (Brown switches) Corsair TX 650 V2 650W 
CaseMouseMouse PadAudio
CM Storm Enforcer Roccat KPM SteelSeries QCK+ Fiio E10K 
AudioAudioAudioOther
ASUS Xonar DG Samson SR850 Headphones Logitech LS11 2.0 Speakers CyberPower CP1500PFCLCD UPS 
  hide details  
Reply
post #10 of 24
it doesn't matter if you download the one with the service pack or not. the key only cares that its being used with a disc that matches its type, like win 7 home premium to win 7 home premium. its suggestible to download the disc that has sp1 on it so you don't have to wait for it to download and install thru windows updates. it wont change how you reinstall the os whatsoever. just as long as you get the iso to match the key.
 
Beautiful HoRyzen
(19 items)
 
 
CPUMotherboardGraphicsRAM
Ryzen 7 1700x Gigabyte Auros ax370 gaming 5 gigabyte geforce gtx 1080 ti gaming Crucial Ballistix Tactical ddr4-3000 
Hard DriveHard DriveOptical DriveCooling
Seagate Barracuda 4TB crucial mx300 m2 Asus dvd rw corsair h100i 
CoolingCoolingOSMonitor
corsair af120 corsair af 120 windows 10 pro 64 bit asus vw 246h 
MonitorKeyboardPowerCase
aoc 2236vw corsair k40 corsair rm750x corsair graphite 760t arctic white 
MouseMouse PadAudio
corsair sabre rgb razer vespula altec lansing ocatne 7 
CPUMotherboardGraphicsRAM
Core 2 Duo g72gx-rbbx05 gtx 260m Nanya PC2-6400 
Hard DriveHard DriveOptical DriveOS
G Skill 64 GB SSD Western Digital Scorpio Black HL-DVD-RW Windows 7 Home Premium 
MouseAudio
Razer Lachesis 4000 DPI Onboard Altec Lansing 
  hide details  
Reply
 
Beautiful HoRyzen
(19 items)
 
 
CPUMotherboardGraphicsRAM
Ryzen 7 1700x Gigabyte Auros ax370 gaming 5 gigabyte geforce gtx 1080 ti gaming Crucial Ballistix Tactical ddr4-3000 
Hard DriveHard DriveOptical DriveCooling
Seagate Barracuda 4TB crucial mx300 m2 Asus dvd rw corsair h100i 
CoolingCoolingOSMonitor
corsair af120 corsair af 120 windows 10 pro 64 bit asus vw 246h 
MonitorKeyboardPowerCase
aoc 2236vw corsair k40 corsair rm750x corsair graphite 760t arctic white 
MouseMouse PadAudio
corsair sabre rgb razer vespula altec lansing ocatne 7 
CPUMotherboardGraphicsRAM
Core 2 Duo g72gx-rbbx05 gtx 260m Nanya PC2-6400 
Hard DriveHard DriveOptical DriveOS
G Skill 64 GB SSD Western Digital Scorpio Black HL-DVD-RW Windows 7 Home Premium 
MouseAudio
Razer Lachesis 4000 DPI Onboard Altec Lansing 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Windows
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Really nasty virus, help