I removed all viruses but my PC but they just respawn. My PC can't run anything!

By Tails Clock
Nov 24, 2010
  1. I recently removed my hardrive and hooked it up to another PC and had that PC sped 2 days scaning my hardrive for viruses with Kaspersky 2010. It found lik 23000 somehow. I am always careful on the net so this makes no sense to me at all. But I got rid of all viruses and trojans and started my PC up. I isntalled Kaspersky on my own PC and it made me restart twice. Thanks to it foricing e to do that some viruses were able to come back...

    I just re-scanned my HD on theo ther computer and got rid of only 4. Tried to use my PC again properly and run Kaspersky which is now installed properly but it keeps saying "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
    I tried reinstalling Kaspersky but it says it cannot alter the same file, avp.exe.

    This happens with ALL anti-viruses I use. Eventually it lead to every program I had only opening for a few seconds before closing. My PC was unsuable. I've gotten it back to an almost workable condition but I knowi t won't be long before it gos bad again. Please help me out as best you can. I get the feeling this is not a virus, but some setting that has been altered on my PC by the virus that a virus scanner cannot fix.

    Last time I got malware it turned out I just simply had to remove some installed hardware driver thingy. I hope it's that easy this time too.

    PS: Don't tell me to system restore, that seems to never work and only succeeds in making you lose stuff you wanted without removing the virus.
    Oh, and whilst virused I ended up being forced to isntall anti-virus 2010 or something like that. It's still stuck in my add/remove programs bit but it won't let me remove it from ther. I think all of it's parts have been removed though.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay, let's set up some rules up front:
    1. I would have told you to do a System Restore for the problem you describe.
    2. If I do instruct you to do something, I expect you to do it.
    3. If Antivirus 2010 did install on the system and a process to remove it wasn't followed correctly, the uninstaller in the program will have been damaged.
    4. That driver thingy might have been all that was needed for the previous malware. When I see the logs from these programs, I will be better able to guide you:
    5. Whatever you did when you "rescanned the harddrive" obviously didn't get rid of the malware. If you happen to have a file infector like Virut or Ramnit or the Sality virus family, it might require a full reformat/reinstall
    6. Doing the following put your system at more risk so stop doing it!
      It's because the malware writers are smarter than we are and can tailor the programs to get around the security- or it can be just a simple click in the wrong place, or downloading from a bad site!
    7. Lastly, you weren't forced to do anything- you Choose to do it. And when you describe malware, the term "something like that" is useless!
    I'd like you to run the following online scan, then post the log. Depending on what I see, We'll decide whether to go on attempting to clean the system. Finding 23,000 infections at some point would point to a file infector:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. Tails Clock

    Tails Clock TS Rookie Topic Starter Posts: 16

    5. Even if this is some real bad malware, I cannot believe that I'd have to wipe my hardrive to get rid of it. So any suggestion to do so will be totally ignored. I will try anything else you say though.

    6. Trying to reinstall an anti-virus put me more at risk? I can actually BE more at risk?? I currently have nothing running at all so I was left with no other choice. But I'll stop trying that now.

    7. I was infact forced to install anti-virus 2010. I couldn't even stop the installation by using alt+ctrl+delete. My desktop changed to one saying I am infected and then i was spammed with little popups telling me to get an anti-virus. I clicked the little bubble and everything then installed automatically without me having any choice.

    As for that Eset thing, I only got as far as isntalling the active X controller. It does not load anything at all. It's just a blank page. I have no anti-virus running to disable. I can't try it on Firefox as FF insta-crashes now. I'm using IE8.

    What do?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    When you clicked on the little bubble, you essentially lost your 'choice' and told the program to install.

    If a Kaspersky scan indicated 23,000 infected entries, I would be very concerned right up front that it would take a reformat/reinstall to get the system clean and up and working properly.

    At no point did you indicate if you had any antivirus program running when you got the initial infection.
    Depending on what the malware was, here are some examples of why a reformat/reinstall would be recommended:

    If the malware was the Ramnit file infector:
    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.
    If the malware was the Virut file infector:
    Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker.

    Good explanation here:

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
    If the malware if of the Sality virus family:
    Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web

    It then creates and starts a service to load the driver. The driver blocks access to a variety of security software vendor web sites.The virus then disables security software services and ends security software processes. It also disables registry editing and the task manager.

    Windows fails to correctly parse shortcut files, identified by the ".lnk" extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that's necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer.

    Tests showed that the exploit works even when AutoRun and AutoPlay -- two functions that have previously been used by attackers to commandeer PCs using infected flash drives -- are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7, ...
    Worm is named Win32/Stuxnet.A.

    Because of these actions, We recommend you do a reformat/reinstall. Attempts to clean this virus to include the backdoor capability usually fail.
    If is common for any systems infected with the malware above to show hundreds and hundreds of infected processes. And the longer the malware is on the system, the files and folders can become so corrupt with the malware that it becomes unbootable.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...