Jamesey1
asked on
winantivvirus pro virus removal
I am fighting a virus on a client's computer. I have made a full backup image with acronis true image and am now trying to remove the virus.
I have tried the following options. Install and scan with avg, malwarebytes, avast, hijack this. All of these would install and update but as I started to run them safe mode or normal they would crash. After that they will not run. Upon further inspection it seems some of their files become read only and some permissions are goofed up.
Asquared did install and fine hundred of virus infections. It removed them but the problem remains. I have a screen shot I will attach below. I believe it to be the winantivirus pro infection.
I currently have the drive slaved and am scanning with malwarebytes, avg, dr web and spybot but not finding anything. I have tried running combo fix but it will not start. (I downloaded combofix to another computer, renamed it, put it on a thumb drive and brought it over. No luck)
Any thoughts?
winantivirus.bmp
I have tried the following options. Install and scan with avg, malwarebytes, avast, hijack this. All of these would install and update but as I started to run them safe mode or normal they would crash. After that they will not run. Upon further inspection it seems some of their files become read only and some permissions are goofed up.
Asquared did install and fine hundred of virus infections. It removed them but the problem remains. I have a screen shot I will attach below. I believe it to be the winantivirus pro infection.
I currently have the drive slaved and am scanning with malwarebytes, avg, dr web and spybot but not finding anything. I have tried running combo fix but it will not start. (I downloaded combofix to another computer, renamed it, put it on a thumb drive and brought it over. No luck)
Any thoughts?
winantivirus.bmp
http://www.xp-vista.com/spyware-removal/winantivirus-pro-2007-removal-instructions
ASKER
Put the drive back in the computer
No luck. didn't find any of those processes running. Also didn't find the registry keys. I noticed the post was from June of 2008 so I'm assuming the virus has changed since then. Did not make it all the way through the list.
Running spyhunter which is picking up hundreds of trojan.zlob infections... I'll post back after the scan completes... and while I was typing the virus killed spyhunter. It now will not run either.
No luck. didn't find any of those processes running. Also didn't find the registry keys. I noticed the post was from June of 2008 so I'm assuming the virus has changed since then. Did not make it all the way through the list.
Running spyhunter which is picking up hundreds of trojan.zlob infections... I'll post back after the scan completes... and while I was typing the virus killed spyhunter. It now will not run either.
do you have the logs from spy hunter? You could try to use a boot disk and manually delete the infected files.
Hi Jamesey1,
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/
Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for futher instructions, save and paste the results by Attach File, or by Code Snippet so we can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.
You'll might need to rename the file before saving to your desktop so it will not be blocked.
Please note: Don't run Combofix in Safe Mode.
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/
Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for futher instructions, save and paste the results by Attach File, or by Code Snippet so we can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.
You'll might need to rename the file before saving to your desktop so it will not be blocked.
Please note: Don't run Combofix in Safe Mode.
ASKER
I'll look for a spyhunter log.
I ran ccleaner and it was able to finish with the drive in the machine. removed 1.5gb of temp and found over 300 reg entries to clean up. Ran the reg tool till it came up clean.
Can't make combofix run any which way I try. downloaded it from the above link again. named it combofix2. (this is on a separate computer) then transfered it with a thumb drive. the little combofix loading bar goes across the screen but that is it. I'd love to get that tool to run if I could
I ran ccleaner and it was able to finish with the drive in the machine. removed 1.5gb of temp and found over 300 reg entries to clean up. Ran the reg tool till it came up clean.
Can't make combofix run any which way I try. downloaded it from the above link again. named it combofix2. (this is on a separate computer) then transfered it with a thumb drive. the little combofix loading bar goes across the screen but that is it. I'd love to get that tool to run if I could
Jamesey1 - sorry I was away, I would of responded sooner. If your having issues opening Combofix, for right now, try scanning with Kaspersky's Free Virus Scan. Here's the link:
http://usa.kaspersky.com/downloads/free-virus-scanner.php
http://usa.kaspersky.com/downloads/free-virus-scanner.php
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
rootrepeal will run Gmer may not. If Gmer will not run first just Ren it. If that does not work then download and run autoruns from http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
save that log and attach as well.
save that log and attach as well.
ASKER
I have attached a txt file of the rootkit revealer tool for review
Jeremy - I have also scanned with the kav rescue cd. I was not able to update the kav rescue cd as networking would not work... so that didn't work well. I have not yet tried the online scan
RootRepeal-report-08-18-09--09-3.txt
Jeremy - I have also scanned with the kav rescue cd. I was not able to update the kav rescue cd as networking would not work... so that didn't work well. I have not yet tried the online scan
RootRepeal-report-08-18-09--09-3.txt
ASKER
weird. I don't know why it says the above might be a mpeg file. It is a txt file.
ASKER
I am unable to get to the kaspersky scan. Browser is hijacked. Looks similar but the page address it redirects me to is some free.downloads.org site and it isn't quite right. Tried a few options like trying to get to the trend micro scanner as well but also hijacked. I can surf google and yahoo fine but AV sites seem redirected.
ASKER
There us also a process running called iexplore.exe always running even when I am not using internet explorer. Seems rogue to me. How can I kill it. If I end process it will just come right back
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok here's the update. Removed the two from your first post. rebooted and scanned again. At this point the virus has adapted and I now can't run rootrepeal anymore.
I did a search for the first two and don't see them back. Appears we are going after the win32k.sys.1 and 2 at this point but I still can't run combofix, malwarebytes or rootrepeal now.
Any more advice
I did a search for the first two and don't see them back. Appears we are going after the win32k.sys.1 and 2 at this point but I still can't run combofix, malwarebytes or rootrepeal now.
Any more advice
ASKER
doing a full gmer scan now. will attach momentarily
ASKER
gmer crashed halfway through scanning. I could see that it still saw all four of the above files in question. I now can't run it either. What a bugger this one is
ASKER
Tried to get an autoruns log but it did the same crash as it was running.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ran the batch. The following is the text from the log.txt it created.
Volume in drive C has no label.
Volume Serial Number is 8036-DBC7
Directory of C:\WINDOWS\$NtServicePackU
02/28/2006 08:00 180,224 scecli.dll
Directory of C:\WINDOWS\$NtServicePackU
02/28/2006 08:00 407,040 netlogon.dll
2 File(s) 587,264 bytes
hmare - I am working on creating an ubcd
Volume in drive C has no label.
Volume Serial Number is 8036-DBC7
Directory of C:\WINDOWS\$NtServicePackU
02/28/2006 08:00 180,224 scecli.dll
Directory of C:\WINDOWS\$NtServicePackU
02/28/2006 08:00 407,040 netlogon.dll
2 File(s) 587,264 bytes
hmare - I am working on creating an ubcd
ASKER
i have an ubcd now and am scanning through that with spybot and others and am picking up fraud.antivirusplus. Will post back
The batch file didn't pick up patched scecli.dll or any other.
This infection patches a system file and unless it's replaced the infection remain active.
Please download this tool and run it.
http://ad13.geekstogo.com/Win32kDiag.exe
It will create a file "Win32kDiag.txt" on the desktop. Please post the result here.
This infection patches a system file and unless it's replaced the infection remain active.
Please download this tool and run it.
http://ad13.geekstogo.com/Win32kDiag.exe
It will create a file "Win32kDiag.txt" on the desktop. Please post the result here.
ASKER
here's the log. I ran it for 45 min. It never closed so I took what it had written.
Win32kDiag.txt
Win32kDiag.txt
ASKER
I have built an ubcd with updated defs for malwarebytes. It also has combofix and spybot updated. I'll perform scans with those and post back
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ran the patch. I can't run combofix but I can run rootrepealer. It finds:
SKYNETcbctdpq at c:\windows\system32\driver
and
UACd.sys at c:\windows\system32\driver
I can right click but when i say wipe it says it can't find the file on disk
SKYNETcbctdpq at c:\windows\system32\driver
and
UACd.sys at c:\windows\system32\driver
I can right click but when i say wipe it says it can't find the file on disk
ASKER
Thanks for bearing with me. I also can't run malwarebytes. I am able to run a tool called expcfix with the ubcd and am going through BHO's etc now.
Can you post the Rootrepeal log please?
You can also rightclick on those and select "Wipe File"
If it's the service then you need to reboot.
Did you also do the Fix.bat?
You can also rightclick on those and select "Wipe File"
If it's the service then you need to reboot.
Did you also do the Fix.bat?
ASKER
attached is the rootrepeal log. I was only able to run rootrepeal after running the fix.bat.
Both of the above files, when I right click and say wipe they say that the file can't be found.
RootRepeal-report-08-20-09--11-4.txt
Both of the above files, when I right click and say wipe they say that the file can't be found.
RootRepeal-report-08-20-09--11-4.txt
ASKER
I was able to wipe everything in question except for the uac and skynet hidden services.
I right clicked on scecli.dll and did a wipe and that worked. I tried to wipe the hiberfil.sys but the system locked up.
researched hiberfil and ended up turning off hibernation. Then scanned again with rootrepeal and it was gone.
the win32k.sys:1 and 2 disappeared after removing the scecli.dll.
I'm going to reboot one more time, scan again and post a new rootrepeal log
I right clicked on scecli.dll and did a wipe and that worked. I tried to wipe the hiberfil.sys but the system locked up.
researched hiberfil and ended up turning off hibernation. Then scanned again with rootrepeal and it was gone.
the win32k.sys:1 and 2 disappeared after removing the scecli.dll.
I'm going to reboot one more time, scan again and post a new rootrepeal log
ASKER
attached is an updated log.
RootRepeal-report-08-20-09--11-4.txt
RootRepeal-report-08-20-09--11-4.txt
ASKER
After getting the log above I was able to run combofix. Attached is the combofix log
I am now running malwarebytes and it hasn't crashed, fingers crossed. I'll post back but i'm starting to feel optimistic here. :)
combofixlog.txt
I am now running malwarebytes and it hasn't crashed, fingers crossed. I'll post back but i'm starting to feel optimistic here. :)
combofixlog.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Many Thanks. We've solved this one.
After running fix.bat I was able to run rootrepeal. I was able to begin removing things at that point. I was able to remove hidden services except for the hiberfil.sys. I turned off hibernate and this file disappeared on the next scan. After that I was able to run combofix. After running combofix I was able to reinstall malwarebytes and use that. It found a few items. I was also able to surf to antivirus sites. Something i could not do before. I finished up by scanning with avg, spybot, spyhunter, asquared, avast and kaspersky.
Then I put in the missing windows patches and called it a day. Many thanks.
After running fix.bat I was able to run rootrepeal. I was able to begin removing things at that point. I was able to remove hidden services except for the hiberfil.sys. I turned off hibernate and this file disappeared on the next scan. After that I was able to run combofix. After running combofix I was able to reinstall malwarebytes and use that. It found a few items. I was also able to surf to antivirus sites. Something i could not do before. I finished up by scanning with avg, spybot, spyhunter, asquared, avast and kaspersky.
Then I put in the missing windows patches and called it a day. Many thanks.
ASKER
excellent input from rpggamergirl
You did a great job!.... well done.
Glad to know it's been resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thank you for using Experts-Exchange!
Glad to know it's been resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thank you for using Experts-Exchange!