An employee called up last week complaining that his computer was getting slower and slower, and now wouldn't boot at all. I pulled the HD, put it in a remote case, copied the image and booted another diskless machine with a build of a live Win32 CD packed with AV and system tools and found with a scan from other AV and antimalware tools a virus and trojan called Packed.Win32.Krap.hc
After cleansing the HD and checking its registry for errors I popped the copied drive back into the machine and when it rebooted it seems that all the programs were gone. I tried to pull up the task manager to see what process were running and found that this had been disabled. I could run Kaspersky at this point and it came up the virus in one of the recovery slots. Kaspersky said it could not remove it, and a fake Kasperky dialog came up with an alert stating pretty much the same thing that the real Kasperky was stating propmting me to either disinfect, or ignore it. I of course never even clicked on anything. It was a little off in where to find its path.
I shut down the system immediately by unplugging the computer. I rebooted with a linux build and did a force mount on the hd as it was reporting that the win machine had locked access to the recovery area. I deleted the files that the real Kaspersky claimed it could not delete, nor disinfect. Rebooted and did a full scan and Kaspersky found it clean. Open the Program Files folder and found that it was empty. Went to Folder Options and found that Hide Extensions, Hide system files, Hide Protected Operating files were checked as well as Do not show Hidden files and folders. I unchecked them all, and the files were all there.
A call to the employee said that a weird error had popped up, and he wrote it down, "HD critical error, Write Filed." I asked him if he wrote it down correctly since it should have been "Write Failed" instead of "Write Filed," and swears he wrote it down exactly.
I tried to restart the original HD and when I was able to log in, it came up with fake Kasperskty alerts and Critical errors similar to what the employee described. A fake Windows security finally came up and his browser came up to a fake Micorosoft site. When I hit Alt F4, it asked me if I really wanted to navigate from this site.
I pulled this drive and put back in the clone that was partially fixed, reran the live CD to scan for other anomalies, found that the registry had been hacked in several places, and fixed these to rid backdoors. Rebooted and the drive would not go to safe mode. Went to the system folder and tried to run the taskmanager by renaming it, and it still wouldn't run because of claiming that it was disabled. I did, however, rename the restore and picked a very early date. Reran Kaspersky and it found the disk clean. i rebooted to a live CD with other anti virus and malware tools and found one more instance of this bugger hiding deep in the Dell programs recovery.
I am correct in the name of this variant: Packed.Win32.Krap.hc
I am not sure that it caused all the damage described as I had other malware and antivirus tools running on the live cd as well as registry fixers to clean this drive, but alot of time was spent to clean a sensitive company HD. They go to a lot of Government sites and download technical documents, (PDFs and Word) as well as mapping services, since we are an engineering firm.