Author Topic: One Nasty Virus/Trojan - Kills all virus scanners  (Read 135115 times)

0 Members and 1 Guest are viewing this topic.

Lynn210

  • Guest
One Nasty Virus/Trojan - Kills all virus scanners
« on: October 31, 2009, 12:41:30 AM »
My main computer was hit today by a really nasty virus/trojan

The first thing it did was uninstall - or destroy Malwarebytes

It wont let me run Bitdefender.. wont let me reinstall..
I cant boot to Safe Mode..

Avast finds it.. but does not seem to be able to get rid of it.

When I let Avast run a boot scan.. it detects a file and I get that list
of what I want to do.. then it just locks up.. no matter what number
I press .. nothing happens after that point.

Can I get some help...

This is one of those Fake AV malware thingies.. with all the added nasties above
plus it downloads ads and porno stuff.. keeps popping up what looks like WIndows warnings about infected files.. at one point it would not let me use task manager to end it..

I tried uninstalling it with Add/Remove it just keeps reinstalling itself.

Never came across one like this before..

Jtaylor83

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #1 on: October 31, 2009, 12:58:31 AM »
Download ComboFix from Bleeping Computer onto desktop in a different filename.

* Double-click on ComboFix
* Click Run
* Click Yesto agree
* Click Yes to install the Windows Recovery Console
* Click Yes to continue scanning malware
* ComboFix will create a log after it finished scanning. Post or attach ComboFix log.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #2 on: October 31, 2009, 01:00:53 AM »
Also, please post the name of the Avast detection, and the location (full path and name) where it was detected.
Windows 10,Windows Firewall,Firefox w/Adblock.

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #3 on: October 31, 2009, 01:22:56 AM »
Avast detects about a dozen files.. I managed to get to where
I could open the CHEST and it has about 12 files in it.

Do you want all of those files and paths. 

I have to constantly battle popups to see anything 

I have rebooted and run Avast over and over and each time it seems
to get a little easier to function.

I am running avast right now.. and it keeps finding more files
mostly temp files

other files off the top of my head are

calc.dll
notepad.dll
ie

I managed to copy combofix with a new name via my network.
As soon as avast finishes running its scan I will post that log

Is there a way to copy and paste the Avast Chest?

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #4 on: October 31, 2009, 02:03:10 AM »
This sounds like it might be beatable. Probably best to go with one thing at a time, though. Being methodical is important, so just do the combofix as suggested by Jtaylor for now.

You can't copy/paste the chest. You could post a screenshot. (Example below.)

You'd probably need to maximize it, then move the column header as indicated in the pic to view the entire path. And, as indicated, it is only the "infected'' section of the chest that is of interest.
Windows 10,Windows Firewall,Firefox w/Adblock.

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #5 on: October 31, 2009, 02:55:52 AM »
I have tried several times to get combofix to work..
I cant get it to run.. when it starts I get a popup that says
runonce is infected..

I dont know if these popups are real or not.. any time I try to run
anything .. including avast virus scan .. I get one.

I will try a screen print of the virus chest.. there are so many trojans
in there it looks like a virus dictionary!

I did a screen print but cannot get paint to run to copy it to..
so I tried excel.. it copied but did not save the file.. now I cant
fun excel anymore.. says infected

Seems I get to use a file/program once then from then on it is blocked
and I get a pop up saying cannot run .... file is infected.

There are 25 items in the Chest.. mostly trojans..

I am going to try rebooting .. maybe I will get somewhere that way.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #6 on: October 31, 2009, 04:51:17 AM »
Delete Combofix. Run a disk cleanup. (Let me know if you need directions)
Download it again, but this time, change the name of it at the "save as" point when downloading:

Quote from: essexboy
Download Combofix from any of the links below. You must rename it before saving  rename it to Gotcha.exe before saving it to your desktop.

Try running it again with the new name.
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #7 on: October 31, 2009, 04:55:45 AM »
I'm sorry to say, this is sounding fairly bad. Shows symptoms of the Win 32 Vitro, an infector that basically infects everything on the drive when it's used/opened.
Does the name "Vitro'' appear in the virus chest at all?

I'd start to look at backing up important files.
If you have anything real important, it may even be better to remove the HD, and taking it to a shop to extract the important files without the OS running, as files could be infected during the backup process otherwise.

The above is just a precaution; we don't know what is at play, yet.
Windows 10,Windows Firewall,Firefox w/Adblock.

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #8 on: October 31, 2009, 06:25:24 AM »
I dont remember seeing Vitro
I saw something that said Mabolb-tm or something like that
and others.. I have shut down the computer cause it was driving me
nuts..

As for files.. there is very little on the internal hard drive.. I store
everything except the OS on external drives.

I will reboot and list some of the viruses from the chest..

I did try downloading Combofix with a different name.. but will try again
with the name you suggest.


Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #9 on: October 31, 2009, 06:28:06 AM »
What is a disk cleanup?

How do I do that?

I normally use CCleaner on a regular basis but that is not working
anymore either.

So how would I do a cleanup

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #10 on: October 31, 2009, 07:02:21 AM »
Um, forget about the cleanup. If Ccleaner isn't working, we probably don't' want to go messing up system tools, either.
(Normally it's "Start>all programs>accessories>system tools> >disk cleanup.") You can try it if you want, then after doing it, see if it is disabled as a result of having run.

Try Combofix as "gotcha.exe". Do that first.
Try renaming the main exe of the MBAM program, located in C:\Program files\malwarebytes anti malware (It's called MBAM.exe) to something like Lynn.exe, and see if it will run then. (Probably won't. Worth a crack.)

Whatever you do, don't place any of those storage disks back in the infected computer. I'm very glad you have backed up stuff. It makes the prospect of a format and reinstall much less painful. (For you, of course. Won't hurt me, much.)

You can mess around with trying to fix this if you want, and as long as people here have ideas/help available, or you can just save time if you prefer, do a full format, and reinstall Windows.

Do you have another working computer with a net connection available?
Windows 10,Windows Firewall,Firefox w/Adblock.

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #11 on: October 31, 2009, 07:26:14 AM »
Yes I have 2 other computers on the same network.. both connected to the internet..

I have been transferring from computer 2 to the malfunctioning one via the network.. I managed to open excel and got a screenshot thru the network

Its a risk I know but I will attach it for you and run avast to make sure I
didn't bring anything over.

I have no idea how to format and reinstall..

My conputers are Dell computers and they have one small partition and one large..

I format my external drives all the time .. but never did a computer and
OS install..

I will try combofix now that I got the screen shot..


Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #12 on: October 31, 2009, 07:34:55 AM »
Had to transfer to paint so it is in 2 parts..

Everytime I reboot and run avast.. I get more files added to the chest.

The files are still to large.. how can I make them smaller or get them to you?



Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #13 on: October 31, 2009, 07:56:13 AM »
Crikey. Disconnect the infected machine from the network. Now.
Windows 10,Windows Firewall,Firefox w/Adblock.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #14 on: October 31, 2009, 08:38:37 AM »
Thing is, until we know for sure what you're dealing with, it remains unknown (but a possibility) that it could affect the other computers on the home network.
So, at a minimum, at least make sure the other computers are well and truly firewalled inbound from the sick computer.

The sick computer appears to not be able to run any application more than once, if at all. That points to a fairly virulent infection, that Avast is unable to clean. I strongly suspect the infection agent is polymorphic (as Vitro is), that is, it re-codes/renames itself each time it infects something, to (a) make it mmore difficult to fix, and (b) to evade detection.

You do not want any part of that code getting into another computer.

Any idea how you got this?
Windows 10,Windows Firewall,Firefox w/Adblock.