17 replies to this topic

[Manifold]

Hi,

I've been tasked to clean a friend's computer, and it seems really bad. I know he is infected with Windows Antivirus Pro and System Security, but there seems to be much more than that. At first I ran Kaspersky Rescue Disc which found and removed over 70 threats, but Win AV Pro and System Security still remained.

I was directed to mbam by some searches which said it will find and remove these infections. At first, these infections locked down the task manager, command prompt, registry, control panel, and basically every program from running. However, I followed some threads here and used Process Explorer to close down the Ssytem Security processes by renaming it winlogon.exe.

So now I'm at a point where I can use the task manager, registry edit, and install and run programs. However, after installing mbam, when I go to run it it shuts down and gets deleted, which makes me think there is something else here, perhaps a rootkit.

So I started following the rootkit advice but I can't get anywhere with it. Any program I try to run gets shut down and deleted even if I rename the exe to winlogon. I can install hijackthis, but when it starts running it closes, and if I run it again I get a message saying "Windows cannot access the specified device, path, or file. You man not have the appropriate permissions to access this item." Same thing happens with mbam.

I tried running RootRepeal, but when I start it up it just hangs at a window which says "Initializing. Please wait..." I waited over half an hour for that to start, while it starts instantly on another machine.

So I'd like to know if anyone can help me. I'm afraid I can't provide any log files because all the programs either won't install, won't run, or get terminated and deleted by the infection. Is there something more basic, with the console or registry I can do to get rid of this infection? Is there a manual way to identify it?

Thanks in advance, and please let me know if there's any more information I can provide you with which would be helpful.

[Manifold]

One more thing, this computer looks like it hasn't been updated since 2004. It has IE 6 and SP 2, but there's a large number of fixes waiting in the Windows Update queue. I tried downloading them and it fails each time.

Is there a way to identify what is closing and locking the antivirus scanners before they finish? Presumably It's not system security or MS Antivirus pro, since I ended their processes.

[AdvancedSetup]

Okay please try the following. Download and burn from a CLEAN system.


Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
  
• If the above link does not work please try this one: here
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

• Please see the post here if you're unable to view the entire screen of Avira.
  
• You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
  
• Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
  
• Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

[/indent]

[Manifold]

Here are the results for my scan

directories: 5015
scanned files: 226608
alerts: 43
suspicious: 0
repaired: 0
deleted: 0
renamed 43
quarantined: 0
warnings: 17
scan time: 00:27:47

Here are some threats it found. I omitted duplicates.

TR/Drop.Spybot. D
TR/CryptRedol.19456.3.3
TR/Crypt.ZPACK.Gen
TR/Ertfor.B
TR/Dldr.Snilis.B.21
TR/Dldr.Calper.acm
TR/Dropper.Gen
TR/Crypt.Redol.22528.3
HTML/Infected.WebPage.Gen
TR/Rootkit.Gen
BDS/Backdoor.Gen
TR/Agent.xdo
TR/Wimpixo.61440A
TR/Dldr.Apropo.R.2
TR/Fake.Antivirus.C
TR/Fake.Antivirus.B
TR/Ertfor.B.1
WORM/Nyxem.Z
TR/Crypt.ULPM.Gen
TR/Calper.afl

Doesn't look good does it? As this shows, none of the threats were deleted, just renamed. Does this get rid of them? I tried reinstalling mbam again and it has the safe effect of closing and locking access from me.

However, I did notice the characteristic service svchast.exe of Microsoft Antivirus Pro was not running at start up. However, when I do a google search in IE, when I click on a search result it still takes me to an unrelated page.

I found I can run DDS without trouble. If you want I can post the log files from that.

Thank you for your help so far, any ideas to move forward are greatly appreciated.

[AdvancedSetup]

Please run the following. Make sure you disable your Anti-Virus first or it will block it from doing it's job.


[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[Manifold]

Thank you for your prompt reply,

When I double-click on the file, a box appears with a green progess bar. The bar fills, but nothing happens. If I run the program while looking at the task manager a bunch of processes are created and destroyed promptly. This is the same if I rename the file on download, transfer it from a clean computer, or run it in safe mode.

I have disabled all anti-virus and firewalls, including windows firewall.

Is there any other thing which could prevent it from running? I look forward to your next response.

[AdvancedSetup]

Please try starting in Safe Mode and renaming the file if you have to and see if it will run.

If not then take a look at this.

Please review the FAQ for a possible solution.
Please especially check Issue# 5

[Manifold]

Thank you for your reply,

Well after trying all the suggestions in that FAQ and running it in safe mode I couldn't get anything to work.

I'm thinking it's about time to throw in the towel and reformat; the person whose computer this is has been without it for almost a week at this point. If you don't have any other suggestions, I think this might be what I tell the person.

[AdvancedSetup]

Please try the following. If that does not help then there are some other things we can try, but if you're under a time constraint to complete this then let me know. Running scans and fixes does take time and for some people they just find it easier to save the data and reformat, but others don't want to lose all the customization, etc or don't have all the original install disks so they want to spend the time to remove the Malware.

Do you have or can you build an Ultimate Boot CD for Windows?

[Manifold]

I had just run that scan again earlier today. Nothing has changed since the last time: 43 alerts, 17 warnings, nothing suspicious, so at least it's not getting worse!

I'm not under a strict time constraint, I'm just thinking about what a reasonable amount of time to have your computer out of commission is. Anyway, the person whose this is is going on vacation next week so they won't miss it in that time.

Thank you for your prompt reply

[Manifold]

Just read your edited reply: I do not have one, but I can make one. Which version should I use?

[AdvancedSetup]

The latest is 3.5 I think.

One last thing you can try is this. Please only do this portion and not anything else posted.

http://www.malwarebytes.org/forums/index.p...st&p=108942
Start at option #2 and ignore #1

If that too does not work or help then build the disk and we'll see if we can run some other tests, scans with it.
update the virus def files when building the CD.

[AdvancedSetup]

Just checking back to see how things are going. I will probably be quite busy this weekend so I may or may not have time to get back to you until Monday.

[Manifold]

Thanks for checking back. No need to check back since the machine is at work for the weekend. I will update on monday. Thank you for your patience.

[AdvancedSetup]

Please post a status update on this. Thanks.

[AdvancedSetup]

Are you still with us?

[Manifold]

Thank you for all your help, the person whose computer I was fixing has finally decided it's worth it to just wipe, so I will be applying that ultimate fix.

Thanks again for all your help.

[AdvancedSetup]

Okay, thanks for the follow-up I appreciate it.



Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.