New Virus, disables AV removal software

Status
Not open for further replies.

JeffMIS

Posts: 10   +0
Got a new virus on 2 different systems. Systems are from 2 completely different people and one of the systems was in New Mexico when infected (they bought it to me) and the other in San Francisco.

The virus disables any programs that check for viruses or do system testing. Hijackthis starts to run once, will show the screen and when you pick any option it immediately shuts down and won't run again getting an error message saying I don't have permission to access the file.

I can run

cacls hijackthis.exe /g administrator:f

And it will get Hijackthis (or any other program) to run once again, but it immediately gets locked out when doing it.

I tried to run Housecall, the moment it started running the scan the window closes.

I have been running UBCD to get into the system and try and clean files and the registry.

The system had a few viruses... now I have to hit CTRL+ALT+DEL and run Explorer manually, half the time, to get it to come up with a desktop. Wierd thing is....sometimes it comes up without doing that.

The registry exefile key was changed to run another program, I corrected it.

The registry userinit key was changed to run another program, I fixed it.

Active Desktop Recovery is up on the screen, and it can't be resolved, even by renaming the HTT file.

Tried using Avast, can get it to install and even do the boot time scan, but once the system comes up it disables the main service.

I have run McAfee from the UBCD using the latest virus definitions (9/9/09) and it still can't find a virus on the system.

I have looked in all the usual places for viruses...some of them are , Windows, windows\system32, the dllcache and drivers folders. Temp in the windows folder and the users. all users Administrative tools, Root of C:, Program Files, Program files/common files, Temporary Internet and even some more. Found many infected files and renamed all of them (Ex change exe to xex and dll to lld, in case the file is needed to boot I can change it back).

I am at a loss when it comes to resolving this, think it is brand new (I have been cleaning viruses almost daily for 6 months) since I have not seen this particular problem until Friday.
 
Try downloading and running Avast Free antivirus... See what it finds. New virus and other malware appear all the time. McAfee is one of the least recommended antivirus programs around here. You always have the option of a fresh partition, format and OS reinstall
 
Already did that

Guess you didn't read the whole message I posted....

As I said origainlly, I installed Avast, it was able to run the scan at boot time, when restarting, and that found nothing (after McAfee found a lot previously), but as soon as the system booted up the Avast Service was disabled by the virus and it would neither update or run the program.

I agree McAfee sucks...but it is part of the UBCD so you can at least try the latest definitions with it.
 
You probably need to remove McAfee to run another antivirus. It is not good to have more than one installed at a time. You can install McAfee once the computers are clean. Again, you have the option to do a fresh install of the OS. Norton & McAfee are notoriously hard to uninstall on "infected" host computers
 
Again ..

I don't have McAfee installed on the system, only Avast is installed (but disabled by the virus).

As I said, I ran McAfee using UBCD...if you don't know what that is, you WANT to know, look it up. It's the UItimate Boot CD for Windows, the most useful tool for troubleshooting system problems you can have. It allows you to create a bootable CD/DVD with Windows on it, and you can bring up a system without using the hard disk, it loads Windows into memory from the CD. UBCD is an add on for BARTSPe, which is what gives you the bootable CD option. One VERY nice option is that you can edit and modify the registry for any user on the system, using UBCD tools, fixing registry problems so you can boot into Windows without registry hacks.

You can download and install the latest McAfee Virus definitions with UBCD and create a CD/DVD that has McAfee on it and it can scan your drive without booting up the system.
 
I KNOW what the UBCD is, but I would never run McAfee or any antivirus program that way. It sounds like this technique isn't working for you either. Boot from the UBCD and partition and format the C drive
 
So your answer is throw in the towel, that's not a solution, that's surrender. In the past I have waited a few days, and had new viruses detected and removed by McAfee, as soon as they were added to the scanner definitions. Did just that 2 weeks ago when new virus hit another system and was not in the definitions right away. That's one reason I don't use McAfee on systems, they don't keep up and don't find a lot of infections, but it's better than nothing and scans every file on a system.

Your saying "I would never run McAfee" that way makes no sense, you might as well say, Well never run a virus checker if you have a virus, it's the same thing. There is absolutely no reason NOT to run McAfee in UBCD, since your hard drive has no files in use and every file can be checked and even deleted since it is not in use.

McAfee in UBCD gives you a full DOS based Virus scan of a hard drive, there is no reason NOT to do this. I have removed viruses from Dozens of systems with it, while I usually can do it manually I find that McAfee can at least finish up when I missed a file in some obscure place or the

Running McAfee from UBCD is like running housecall from Trend, but you can do it when you can't boot up the infected system.
 
I work on many "infected" systems. It can take many hours or even days to clean a computer, while a fresh Windows install plus updates takes much less time. If I had to use a UBCD to boot up an "infected" system, it would be a perfect candidate for a fresh OS install. A UBCD is great for repairing corrupted hard drive MBR's and you can quickly check a hard drives SMART or overall condition
 
In this case a fresh install is not the solution.

The install of windows and Office and updates will only take about an hour billable time, that is true. But both of these systems belong to architects with a LOT of software installed, Cad software, Adobe Software, many applications, very sophisticated configurations with a domain controller and exchange email.

It takes 4-5 hours to rebuild one of these systems and get all the software installed and then a few days for the client to configure it...costs them $1000 at least, so ....I want a solution to this, if at all possible.

The clients are willing to wait a few days to see if a fix appears.
 
You and your customers should make full back up images of the hard drives, in these instances. You are right to try and salvage the data, but also choose a better protection scheme than they are currently using
 
In the beginning of the thread there is.

Does anyone know of a solution to this, has anyone seen it and been able to figure out where it is coming from.

Someone may have found the answer to this virus and I was hoping to find them.

Here is an example of why posting symptoms and waiting for the definitions to catch up to new virues pays off

I had a major problem similar to this 2 months ago, turned out the virus was being caused by an AUX entry added to the DRIVERS32 key in the registry at HKLM/software/microsoft/windows NT/Current version/Drivers32. That entry pointed to a file with an extension that was not even valid, it was just a 3 character nonsense string, but having it in Drivers32 screwed up the system. Removing it took the virus out completely, the trick was FINDING IT!!!

Saved the client 10 hours of system rebuild time by finding that, it took 2 weeks of waiting until software detected it....but it was worth it to them.
 
TMagic650

You say a better protection scheme...but the fact is, NOTHING seems to protect one from day zero events. I wish people could be controlled closer, they are the problem!!

I have had major infections on systems with Norton, Symantec AV, Symantec End Point protection, McAfee, CA AV, Nod32, AVG, Avast. I have a couple of thousand desktops I support and not matter what I run someone seems to be able to get infected with a new virus pretty regularly now.

I went for a couple of years with maybe one infection every 2-3 months, now I am hearing about them almost every day, no matter what virus software is installed.

I personally have never had a virus on my systems (stating with a PC in 1984), but I am more carefull than the average user and know when to say NO to a popup.

Owners of small companies also can't afford to backup every system's image (each one is usually different). Yes, if viruses stay a bad as they have been lately, people will start thinking it is a smart move, but they don't want to spend the money on the hardware, software and the time spent doing it, at this time.
 
BTW.....I Spell "Boot Disc"...L-I-N-U-X.....

Most of the nastier virus/malware infections do take out the AV "solution".

Point here is this doesn't necessarily have to be a "new" piece of malware. On the other hand, if you are correct and this is a "zero hour attack", then your best source of info would be any of the AV manufacturers web sites, as it takes a while for a new infection to mingle with the "contemporary folklore" as it were.

If as you report, you can no longer even boot the machine on its own, this does make an extremely strong case for a reformat. Whatever it is, it is progressively becoming worse. This is the point where if the machine were mine, in would go the Windows discs.

I've been mulling over the feasibility of creating a sticky with a comprehensive list of reasons why "nobody can reformat". That way people could come prepared with a litany of excuses, tailor made, without having to flex a brain cell, and spend the rest of the thread talking down to us.

That said, I already know what a boot disc is, but moreover I'm not exactly certain why anyone who allegedly is running a computer business would be coming here demanding that we solve their problem. This is a big cost analysis component to your posts. Oddly, I've misplaced my time card. That spells "impasse".
 
I am just asking for help on this, not demanding...shoot ...what good would it do to demand a fix...that would be silly.

I am just looking to see if someone else has seen this and might know the answer.

I know the answer to many of the newer problems that cause infections, this one seems to have started out in the wild on or around 9/3/09. I was cleaning up similar viruses the week before but none did what this one does, as far as disabling other AV software and tools. Both of these systems had the bravia.exe file which is a well known virus I have seen dozens of times, maybe these are just variants of what causes that.

Both of the system can boot up, that's why I am still trying to find a solution and not rebuilding.
 
More and more of late, I have seen people complaining of redirects and other problems that eludes even some of the better AV and Anti Malware programs.

That said, have you had any luck with the other programs in our 8 step clean up program?

Avast seems to "die easy" when confronted with certain malware. That coupled with the annoyance of the registration and renewal thereof makes me reluctant to recommend it.

I also suggest downloading and running the current "M$ Malicious Software Removal Tool". This months version should be available. Use the version from the M$ download page and NOT the update page, as it's an executable file, whereas the update is an install, which doesn't seem to be working well.

If PC World is correct, the malware writers may be winning so it's a sad day for all of us.

As I said, "boot disc is spelled L-i-n-u-x", and methinks it might be a good time to rescue and scan the pure data files on these computers. This in case a less drastic solution than reformatting is not forthcoming.
 
Already have the MRT on one of them, but the other won't download, and this virus disables the exe, so it won't work, have a big list of non accessible files when I run a scan now. Will have to use cacls to clear the drive up.

The 8 steps ...another case where if anything was fixable or capable of analysis the virus disables the tool.

I don't have to rescue anything on them. I can just pull the SATA drives out of both laptops, plug them into one of my systems and copy the files off. I can even boot one of them with UBCD, connect to my server over the network and copy all the files over there.

Lots of choices...but I REALLY would like to kill this virus.....and learn something new doing it.

I have put the drives in another system as a 2nd drive and run Avast there, found MANY infected files, but still didn't kill this %$#@@ virus.

They have come up with SO many new tricks lately, it's really getting bad, worst I have ever seen it and I have been working with PC's since 84.

I think if more business software was available for Mac's many people would move to just get rid of the viruses. Of course then the virus writers would have a reason to create Mac viruses..no brainer with the unix underpinnings. .

I am putting a virus checking on the firewall this week at one office that finally wants to spend some more to try and prevent the problem. It's hit them twice in a couple of months and they are willing to spend more.

What I fact is that most of my clients have less than 15 computers, there is an expense level they won't consider, until the virus situation gets too expensive..at that point $900 for a router with 2nd level virus protection makes economical sense.
 
Maybe it's time to put your faith in a higher authority. Have you considered any of the online scans?

I suspect many of these issues are being caused by botnets. I recently experienced a massive uptick in spam, perhaps from leaving an Email address where I shouldn't have.

But, all the messages are very similar, "your order is ready" and "painkillers, no RX needed". These are easy for me to avoid, but a bit more difficult in a business environment where emails with these topics are expected. I guess it's locking the barn after the horse is stolen, but along with a firewall router, it seems an employee retraining program might be timely.
 
Have the same problem. Located services (booting from XP CD) that were part of problem. However, virus remains. It modifies folder permission in a non-standard way so the OS can't restore ownership or assign rights. It takes out AV, hijackthis, will modify executables. This is NEW - zero hour. Symantec / McAfee don't have this one yet.

jbw
 
try looking in the registry at your startup keys. there is probably something in there telling it to execute. once the key is removed (will probably come back) find the file it references and remove it from the system. you may have to kill whatever process it piggy backs on so you can remove it, i know this was vague info but once you get in and see what im talking about this should be fairly easy for someone with your experience
 
try looking in the registry at your startup keys. there is probably something in there telling it to execute. once the key is removed (will probably come back) find the file it references and remove it from the system. you may have to kill whatever process it piggy backs on so you can remove it, i know this was vague info but once you get in and see what im talking about this should be fairly easy for someone with your experience

I have little experience with registry, they all seem to be useless codes.

I have the exact same problems as well, a virus that I cant detect and disables my anti-virus software. But it started to disable my IE and firefox. I am using chrome now.

Also during the startup, two error messages appear saying Upnp.exe and some Acer.exe (my notebook is acer) is not responding and I have to close them down. After that, startservice.exe is asking permission to run??? I denied because I dont know it. later I used msconfig to diable the non-basic services and they stopped appearing.

but antivirus softwares and web browsers are still down. & it takes a long time to load, waiting through a white screen!
 
An irrevelant thing is that my firefox bookmarks are important to me. I dont know if it has been lost or i just cant locate it... can someone help??
 
Possible Solution

I've been scanning the offending drive on a 2nd PC. All the scans came back clean.

I was able to get ComboFix to run (finally!) on the infected system. What I found was a modified eventlog.dll. The current version (for XP) should be 55KB, mine was 61KB. I replaced it with a backup copy. Then rescanned.

I also used subinacl to restore registry rights modified by the virus.

Problem solved!!

jbw
 
Status
Not open for further replies.
Back