Watch Out! System32 Malware Virus on the move!

[blueskydriver]

Hey Everyone,

Just wanted to notify everyone that a System32 Malware Virus is on the move and it will knockout your windows\system32 completely! Oh yes, I got this thing last week and not only did it shut off AVG, malware bytes and another blocker, it jumped into my system via a flight sim website.

Anyway, you will get multiple notices about doing a chkdsk on your hard drive first, after that all your icons will stop working or not open any programs, and the start button on the windows taskbar will not lead to any programs. So, in effect, it ruins your windows installation! Once you restart the computer you will get a BSD or a Black Screen of Death right after the POST.

Therefore, I'd like to suggest to everyone that you have a fool proof backup of your computer, and not only your sim computer, but your day-to-day computer. The best thing is to have a mirrored backup of your system and to make sure it is done each and every night.

Now, if you find yourself in my situation, there is hope, but you will have to go the long way to get there. I had a recovery disk; however..., it did not rebuild the system32 folder because a recovery or even a windows disk in repair mode will not work if the system32 folder is missing! I worked at it for three days and finally found that on a recovery disk you can hit alt and D keys, plus click a button on the screen to get to the DOS shell.

Yep, that's right, old DOS is still running in the background on Windows OS. Anyway, I got into the DOS shell to get to the command prompt, and from there I was able to make a new system32 folder, and then copy the system32 files from the recovery disk. Thus, the actual recovery or repair could now take place. What did this do for me? Well, all my data files, folders and structures were still in place, and that is what I wanted most! Even more so, that meant I could recover the Windows OS, albeit in a fresh Windows recovered mode and not a clean install after a format of the hard drive.

I mentioned backups earlier and yes, I had one...sort of. For whatever reason my backup was not happening, even though I programmed a dedicated network backup drive to run each night. Sadly, the most recent backup was dated back to March of 2011! Of course I assumed it had been running normally. Anyway, that is why I wanted to recover my computer so badly...March 2011 is like a 1000 years in computer time. Besides, it is my day to day computer where everything is ordered from, as well as all my flight sim downloads with serial numbers and etc are kept. Even thoguh I write everything down, I was thinking about all the stuff I might have forgotten to write down.

Finally, I just wanted to share this story and hopefully prevent anyone else from going through this. I did mentioned it came from a flight sim site and knowing how most of us cruise all the different sites, I figure it better to let you all know before it happens too you...

John

[Joe Lavery]

Hi John,

That's quite a disturbing tale and I'm pleased to see it had a happy outcome. Good of you to give us the heads up on this.
For those that do not have a backup system, I use a free open source program called Create Synchronicity:

http://synchronicity.sourceforge.net/

It can be set to run automatically each day, or week, or whatever you like and you can also define which files and folders to backup. I have a 1 Terrabyte USB3 hard drive that I backup to every day. It's some comfort to know that in the case of a hardware failure, or in a situation like John found himself, that you'll only lose the current day's data. 

Hope that may be of some help to you guys.

Joe.

[fordgt40]

Hi John

Thanks, that prompted me to update my backups

David

[Maurice]

Hey Everyone,
, it jumped into my system via a flight sim website.

John

Hi John,

Glad you were able to recover without too much grief. Do you happen to remember what site might have infected your PC and were you downloading something or were you just browsing the site?

Thanks,
Maurice

[blueskydriver]

Well, got the drives formatted and starting to reinstall everything. It sure is a long process, even more so because I had to get two USB external backup drives running first, and then backup all the salvaged data. Afterwards, once the formating is done and the OS is running, the same external drives have to be setup again..,

Anyway, this will be my last post on this event, but before I finish up I wanted to pass along 3 things:

1. Always backup to a mirror drive; forget backup programs that do it for you via some program routine...like Retrospect or whatever. A mirrored drive(s) would be a short 1-2 hour affair, the other way you have to reinstall the OS and all your programs over again.

2. Make Restore Points right before you update any files or install anything. Don't rely on system checkpoint restore points, make them yourself and name each one as to what you're doing at the time. By the way, your restore points are kept in the Windows\System32 folder, so go into that folder after you read this post and find them, and then back them up to another off computer location...do it!...do it now! Trust me, I wish I had...

3. Right before I reformatted, I downloaded a free program known as Belarc Advisor. This program will tell you everything you have installed, all your updates and even your computer's system info. You know those program files that show when you select start>programs; well, you can view and printout a list of all of them. This is a great thing because I now know what I had installed without writing it all down myself...that would've been another night alone just doing that if I had too.

Finally, I usually am the biggest promoter of Restore Points and Backups; however, the last two weeks shows that no matter how much you do in this regard, you have to do even more to keep at it daily! Hopefully, this will never happen too any of you, as I can say, it wasn't a fun flight.

John

Ps. Start shopping for your mirror drives.

[blueskydriver]

Just when you think all is good...bam! You get hit again! The same computer after a week of running with multiple shutdowns and restarts, I turn it on this morning to read "Wnidows is missing winows\system32\ntoskrnl.exe...blah blah.

Talk about the curse words flying around the room! Anyway, I am trying to copy the file back from the Win CD, but not sure if it'll work. I figure I have 1of3 issues: 1 is I downloaded another or similar virus/malware. 2 the previous virus or malware made it onto the backup drive and got copied back over. Or, 3 since this box is a Raid 0 dual drive stripe setup, one of the drives is going out or the onboard drive controller is freaking out.

Got to say this is the worst type of virus/malware because it is hard to resolve, and I keep thinking "if I ever meet a hacker or virus maker, I'd like to...uh, well you get my point.

John

[sagrada737]

I have found that running these checks a couple of times each day has almost eliminated virus/malware problems:

1.  SuperAntiVirus  (free)
2.  Malwarebytes  (free at malwarebytes.com)
3.  CCleaner  (free)

I also run Microsoft Security Essentials, and also have installed AdBlock (free) on GoogleChrome.

Sorry you got tapped.  I know how frustrating it can be.

Mike

[blueskydriver]

Here I thought I was done with this thread...lol. I am actually back online with the computer itself; although, it has been a very long stretch to get over it. 3 weeks or so with it failing 3 times; the first two times from the virus/malware and the third because I formatted the wrong drive! So, that last one was a user mistake.

Anyhow, I learned or relearned a lot from my past on the things I used to love/hate. I used to build/fix computers, but got the "burn-out" factor back in 2006; thus, I only did my own after that. Well, without many failures you forget or put what you know way back in the memory file cabinet...

Finally, here are a few tidbits I want to pass along:

1. Do mirror backups every day or at least every other day while you're sleeping.
2. If you have a Raid 1 with two drives you can set them up as a mirror pack, as opposed to Raid 0 stripping. Yes, you loose speed, but it's worth it when the PC is not your FSX box.
3. Use an Antivirus, Malwarebytes and whatever else to protect your system. I use AVG over Nortorn because AVG is faster.
4. Even though I have the mirror drives, I am using Norton Ghost now to do backups of the entire system to an external USB drive.
5. Make sure you don't erase the wrong drive once you get it all done and are overly excited that it's working for the "SECOND" time!

If I didn't mention it already, the reason why this box is so important is because everything goes through it. I use it for email, surfing and whatever, but it is used more importantly too download Add-ons, Fixes and Programs for the Sim. This way it prevents the computers in the Sim from having this happen to them; especially, the FSX High-end PC. Now that would be a nightmare to redo that one only because the Sim would be totally down and I couldn't get my fix of flying it!

Hopefully wishing this never happens to you,

John

[nicd]

Thanks for the heads up John. Just finished building 4 sim PCs so your advice will be put to use!

Just so we can be aware .. what was the sim website that you picked up the virus from?

cheers
Nic