Viruses that can't be removed

[Inga]

Hi! I'm trying to help my friend with her computer as her computer is being run down with viruses.

Short story:
When running avast it stops during the memory test to remove 4 viruses/trojans in folders:
\system32\uachptidtandy.dll
\system32\uccpxidjipfkj.dll
\system32\uccvnrlbdgcto.dll
\temp\uacb135.tmp
All these can't be moved to chest as they're being used at the moment. So we've deleted them, then Avast says that there's a virus in the memory and that the scan needs to be done in boot mode and it needs to restart, so we do, and it does it's thing and there's two viruses that we move to chest. Then when the computer restarts we run avast again, and then just like before the 4 viruses show up again, and the message to run the scan in boot mode comes up again. It's just repeating itself and nothing is removed. What can we do? If you wait to go into boot mode or anything like that then the computer will freeze and it has to be shut down by pushing the start button.

Longer version:
This all started yesterday when she got a message on her computer that she had 10 viruses on it, from AVCcare, or AVcare, ACvirus or something like that. Which seemingly was a program that had added itself to the computer to resemble AVG virus program, she had AVG at the time. So we ran an AVG virus scan which removed 6 viruses/trojans, and it briefly seemed to be ok. She asked me which virus program i used since i don't have problems with this sort of thing. I said Avast, of course And she then decided to remove AVG and install Avast to see if that would clean it. Then when she first ran Avast it detected the 4 viruses/trojans that still refuse to go away.

What can we do as it's just going in circles? I'm not at her place anymore so i don't have the computer next to me.

I hope someone knows what to do, but if not, thanks anyways 

[Lisandro]

I suggest you run avast booting the computer in Safe Mode.
If it can't get rid of it, read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Dr. Web
2. Avira
3. BitDefender
4. Kaspersky
5. F-Secure

[bobo1]

Hi
Try avast scan in safe mode for xp or vista by hitting F8 Repeatingly on boot up. after this try clearing all restore points by turning off system restore as viruses hide in this and scan again in safe mode. And reboot. Try and download spybot search and destroy and run that and remove what it finds

[Spiritsongs]

   Hi Inga :

 Sounds like your friend has a "Rogue" program on her computer ; the FREE
 Version of "Malwarebytes' Anti-Malware", which can be downloaded from
 www.malwarebytes.org/mbam.php , is designed SPECIFICALLY to deal with
 these types of programs and I recomend you try and use it on her computer .

[DavidR]

@ Inga
This will have more friends as the UAC{random_characters}.dll is associated with a rootkit.

- RootRepeal, http://rootrepeal.googlepages.com/ RootRepeal is a new rootkit detector currently in public beta. Scroll down the page for the download link. Also see, http://www.malwarebytes.org/forums/index.php?showtopic=12709 for general information on running it. Also see, http://forum.avast.com/index.php?topic=47511.msg401133#msg401133.

[Inga]

Ok we're trying all the stuff. How exactly do you command the computer to start a virus scan in safemode?

Thanks for all the advice! 

[DavidR]

You're welcome.

I would suggest running MalwareBytes AntiMalware (MBAM) first as suggested by Spiritsongs as that specialises in rogue program removal.

If a boot-time scan is available to the user that is a better option than a safe mode scan. If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php. Don't opt for deletion (you have no options left), always send to the chest and investigate.

[Inga]

We've run the boot time scan several times and the viruses come back, and we can't seem to put Malawarebytes AntiMalaware on it since we can't access the desktop anymore. Or rather we can access the desktop but nothing more than that. We can't open folders and the only program that will run is Avast, but in the same repeating cycle as it has been. We can however use the task manager, but to no avail.
The viruses will stop the virus scan from completing, forcing it into boot mode, then that scan can't finish because the viruses won't let it. We land up with warnings and suspect files but we can't quarantine them or delete them.
We've run the Avira rescue CD as suggested, but he viruses won't be removed. They're found but they can't be removed.

We're really out of ideas here :'(

[Lisandro]

Did you try other CDs that I've posted on reply #1?

[bobo1]

Can you type in msconfig in the run box and see whats in your start up group items . If Avast cannot clear the viruses under the boot time scan than can only suggest a complete reformat of the main drive C and reload Xp or Vista and start again a bit drastic though, as it has got to be something that is loading with the operating system! Need a hijack this log to read what this computer is doing?

[Tarq57]

Format and reinstall is a drastic step to take.
There are plenty of other suggestions posted that I'd certainly try first.
Format and reinstall is a last resort.

[Inga]

Fixed! Thank you for all your help!
The viruses were preventing us from opening Malwarebytes Anti Malware and most spyware removers, and the rescue CDs didn't work which almost led to us formatting the hard drive since we seemed out of options. We'd learned from watching the Avast scan that most viruses had names starting with kbi and uac, and tended to hang out in the system32 folder. We could get RootRepeal working and it then seemed like a good idea to delete viruses manually, and we took away everything kbi and uac. We then tried Malwarebytes Anti Malware again to see if removing the files might have made a difference and we eventually managed to get it working long enough to remove a dozen more viruses, which after restarting got us back to the normal desktop, and we could then open and run all programs! Yay! We've updated all virus definitions now and Malware still picks up on one virus every day, but it's quite usable now 

So thank you everyone for helping us save the computer! Team effort! 

[Tarq57]

Could you post the name and path of the file that MBAM is picking up every day, please? It is always the same name/path, or does this vary? What does MBAM describe it as?

Glad you're heading out of the woods. But maybe still a bit of work to get it right.

[muis]

Some viruses are hard to remove because they are pressent in the restore map, i had (a long time ago) to disable the restore function to get rid of them.
I always make a backup using BartPE (XP) and leave the restore function disabled.