Sony Vaio with malware

MothballsWallet

Hi everyone,

trying to fix a friend's Sony Vaio laptop (System Properties says Intel T2050 processor at 1.60GHz, 504MB RAM) running Windows XP Media Center with SP3 on it that's got some viruses and forms of malware on it. What I did is as follows:

1. Booted with Antivir Rescue CD and scanned for viruses, allowing it to delete/rename infected files as necessary.
2. Booted up into XP as normal and removed McAfee suite (only the Privacy Center was installed and working, everything else was a trial option).
3. Strangely, the network adapters don't work now for some reason, their status in Device Manager is that their driver is missing or corrupted (well, it isn't missing because it is where it is supposed to be in C:\WINDOWS\System32\Drivers).
4. Installed latest Spybot, Malware Bytes (MBAM) and CCleaner.
5. Ran scans with CCleaner and MBAM and allowed them to clean what they can.
6. There are 2 references to a file called wusorevo.dll - even in Safe Mode, MBAM recognises it as a Trojan Horse but cannot delete it because it keeps coming back when I reboot.
7. Regedit access is disabled on this machine (All named accounts are Administrator level), so I can't go in and delete the references to this dll file manually.
8. Tried uninstalling and reinstalling the driver software to no avail.
9. I've been able to get into Safe Mode, but only as a named user (not Administrator), to install AVG Free 8.5, and MBAM tries to delete the .dll file mentioned above, but the little bar steward keeps reinstalling its reference. The file no longer exists in C:\WINDOWS\System32.
10. Have saved the logs from MBAM and running HiJackThis (they're on my website) - MBAM's log might say that it has deleted the wusorevo.dll reference, but trust me, it hasn't worked.
11. Have reinstalled the Wireless network adapter drivers when in Safe mode, but they're still coming up as "driver corrupt/missing" status in Device Manager when I reboot into normal mode.

What's making things more difficult is that my friends don't have the password for the administrator account - I've tried the ones they suggested, no password at all, admin and even the computer name, but none work.

The only other thing I can think of right now is to reboot using my Windows XP setup CD because I think there may be some tools sitting on that which I can use, but ideally I'd have the CD for this particular machine.

I'm sure there's something I missed, and can anyone advise me on what to do next?

Jaffa.

Have a look into Bitdefenders boot cd it's a good tool and might pick some more stuff up.

Make sure you plug the computer's ethernet in though so it can update the virus defs.

You just need to make sure it's clean. I would not recomend using AVG, try using a trial of kaspersky http://www.kaspersky.com/anti-virus_trial

Combine that will Malwarebytes Anti-malware, which you've already got and Superantispyware (free) you should be 99.99% clean.

MothballsWallet

Hi Jaffa, thanks for your suggestions, and I'll try Bitdefender and Super Antispyware in safe mode.

The other problem is the network card drivers (both wired and wireless) don't work properly any more, and I've been trying to get them working so that I can get all the virus and spyware tools' definitions updated, but no luck so far.

Jaffa.

Ah the networks not working, With bitdefender it should work with the wired network (and wireless) but try wired first, if that fails use the network config tool and obvs pick the wired options and it will auto config it's self.

*Just incase here's a link on how to burn an ISO as thats how the Bitdefender cd is downloaded. Use the Imgburn one

The network problem sounds like a problem in windows.

Do the networks show up in device manager without any yellow or red markings? If they do it's a driver issue (yellow) or the networks disabled (red)

If you can connect to the network but get no internet then chek the router settings (can you access the routers config page from that laptop?), firewall settings on the laptop. Try running the mcafee removal tool too as it might be left over parts of mcafee doing something with the network settings http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS100507

Millionaire

MothballsWallet wrote: »

What's making things more difficult is that my friends don't have the password for the administrator account - I've tried the ones they suggested, no password at all, admin and even the computer name, but none work.

See if this works to get you in the admin account.

http://www.youtube.com/watch?v=i7J6oC9Mk88

MothballsWallet

Hi again Jaffa:

Jaffa. wrote: »

Ah the networks not working, With bitdefender it should work with the wired network (and wireless) but try wired first, if that fails use the network config tool and obvs pick the wired options and it will auto config it's self.

I'll reboot with the Bitdefender CD, I've connected the laptop to my router with a cable, and I'll try getting the Linux system to auto config and connect for me.

Jaffa. wrote: »

*Just incase here's a link on how to burn an ISO as thats how the Bitdefender cd is downloaded. Use the Imgburn one

I've got a CD and DVD tool that allows me to burn a disk from an ISO image, and that seems to have given me a usable CD - problem is that Bitdefender detected 7 threats, but when I asked it to Disinfect from the options list at the top of the window it couldn't remove them for whatever reason.

Jaffa. wrote: »

The network problem sounds like a problem in windows. Do the networks show up in device manager without any yellow or red markings? If they do it's a driver issue (yellow) or the networks disabled (red)

They show up as Yellow markers, and the status message in properties says that the driver file is corrupted or missing (not missing as the file is there): I'm going to remove the software for the wired and wireless LAN adapters and try putting on the newest ones.

Jaffa. wrote: »

If you can connect to the network but get no internet then chek the router settings (can you access the routers config page from that laptop?), firewall settings on the laptop. Try running the mcafee removal tool too as it might be left over parts of mcafee doing something with the network settings http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS100507

I ran the McAfee removal tool as well, and I think it's removed as much as it can. The router settings I can access from my own laptop, which works well through it.

I'll try those as soon as Super Antispyware has finished running its scan.

MothballsWallet

Millionaire wrote: »

See if this works to get you in the admin account.

http://www.youtube.com/watch?v=i7J6oC9Mk88

Cheers, Millionaire - I've used that trick to set up a new password for the admin account, and I'll try that as soon as I've completed the Super Antispyware scan.

gaming_guy

it may also be worth trying the avira rescue CD and/or the kaspersky one

Jaffa.

Right, cool! Yeah as long as you can get the network up and running you can update the tools via windows and get the system clean!

Bitdefenders good for making sure nothing is left behind because nothing can hide + super detection rates... and for making sure network connections work

Tell us how it goes!

MothballsWallet

gaming_guy wrote: »

it may also be worth trying the avira rescue CD and/or the kaspersky one

Avira was the first one I tried, and I am concerned that its virus removal did something to the network driver files, but they're now always showing with the yellow marker, which is very frustrating (flaming Windows Media Center :mad: )

MothballsWallet

Jaffa. wrote: »

Right, cool! Yeah as long as you can get the network up and running you can update the tools via windows and get the system clean!

Bitdefenders good for making sure nothing is left behind because nothing can hide + super detection rates... and for making sure network connections work

Tell us how it goes!

Millionaire's tip worked perfectly - I've now got Admin account access, and have been able to get rid of the unwanted wusorevo.dll reference withg CCleaner and Super Antispyware.

The problem with the network card drivers is still there - the biggest issue is that they are made by companies I've never heard of before (not to say they're bad, just obscure).

For example, the wired LAN adapter is made by Marvell and the wireless adapter is made by LAN-Express but Sony also bundled Intel's wireless LAN driver and software with the system.

Fortunately, the driver installation packages are kept on the C: drive for easy access.

I'm very tempted to call the Sony helpline and get their advice if the newest drivers don't work. Well, here I go to find the latest drivers...