One Nasty Virus/Trojan - Kills all virus scanners

[Lynn210]

I was doing my weekly TV guide.. so I had zaptoit open  IMDB  TV.com
and a few others..

How can I get that excel spreadsheet to you..
It is 204kb and this system only takes 200kb at a time

It has a complete list of the Avast Chest but I have copied the list
best I can.. These are the VIrus/Trojans .. do you want me to match them to their respective files?

Win32:Malware-gen
Win32:MalOb-T[Cryp]
JS:FakeAV-AI[Trj]
Win32:Spyware-gen[Spy]
Win32:Rootkit-gen[Rtk]
Win32:Walivun[Trj]
Win32:Trojan-gen

Most of the files affected are temp files



uacdf4f.tmp            C:\Documents and Settings\Lynn\LocalSettings\temp
uace20e.tmp           C:\Documents and Settings\Lynn\LocalSettings\temp
uace53b.tmp            C:\Documents and Settings\Lynn\LocalSettings\temp
uadeeae.tmp             C:\Documents and Settings\Lynn\LocalSettings\temp
uacf0e1.tmp              C:\Documents and Settings\Lynn\LocalSettings\temp
Uninstal.exe               C:\ProgramFiles\ActiveSecurity
uqxq44.dll               c:\windows\system32
winamp.exe            C:\Documents and Settings\Lynn\LocalSettings\temp
trz11.tmp             C:\WINDOWS\system32
trz10.tmp               C:\WINDOWS\system32
syssvc.eve           C:\WINDOWS  (this one appears 15 times)
scandsk.dll           C:\documents and settings\lynn\startmenu\programs\startup
rundll32.dll                C:\Documents and Settings\Lynn\LocalSettings\temp
ntuser.dll                  in c:\DOCUME~1\Lynn  (appears 3 times)
litoqbe_cr[1].htm       C:\Documents and Settings\Lynn\LocalSettings\ ~~~(another temp internet file)
islv.exe                    C:
Installer.exe              in c:\DOCUME~1Lynn\LOCALS~1\Temp (appears 3 times)
iehelper.dll                  in c:\windows\system32  (this one appears 4 times)
flst[1]js               c:\Documents ...blah blah .. TempInternetFiles\IE5\LDJALNF3
coreext.dll                 c:\programfiles\active security
calc.dll                     in c:\windows\system32
6to4v32.dll                in c:\windows\system32

asecurity.exe (this one is one of the popups phony security things that caused the problem I believe)  c:\programfiles\active security

[Lynn210]

What about the Microsoft Recovery Console?
I can boot up into that (or I could anyway) but I dont know how
to use it ...

or boot up from a disk into safe mode

I think if I could get into safe mode maybe that would help get rid of this.

[Lynn210]

Sorry... as a last resort .. I would not mind reformatting if someone could guide me.

I have all my software discs..
I dont have a full scale OS disc.. I have a Dell OEM OS disc.. would that work?

I have a bunch of useless software on the sick computer.. dont use it so would not
reinstall it.. just my CD ROM drive and DVD drive.. Nero .. Office.. that is about all
I use on that computer.. Dont use email there..

[Pondus]

How to reformat


WinXP
http://video.google.com/videosearch?hl=no&source=hp&q=how+to+reformat+xp&um=1&ie=UTF-8&ei=eTXsSoCjGYLY-Qbl_KHwCw&sa=X&oi=video_result_group&ct=title&resnum=4&ved=0CBsQqwQwAw#

vista
http://video.google.com/videosearch?hl=no&source=hp&q=how+to+reformat+xp&um=1&ie=UTF-8&ei=eTXsSoCjGYLY-Qbl_KHwCw&sa=X&oi=video_result_group&ct=title&resnum=4&ved=0CBsQqwQwAw#q=how+to+reformat+vista&hl=no&view=2&emb=0

XP http://www.google.no/search?hl=no&source=hp&q=how+to+reformat+xp&meta=&aq=f&oq=

vista http://www.google.no/search?hl=no&q=how+to+reformat+vista&meta=&aq=f&oq=

how to reinstall a dell computer
http://www.ehow.com/how_2172122_dell-computer-microsoft-windows-xp.html

[Lynn210]

I read about reformatting.. WOW!!

I have all drivers .. but I would sure like to avoid reformatting

Do you suppose I could reboot to CD and try a system repair?
or are the viruses/trojans too bad for that?

[edifyguy]

I read about reformatting.. WOW!!

I have all drivers .. but I would sure like to avoid reformatting

Do you suppose I could reboot to CD and try a system repair?
or are the viruses/trojans too bad for that?

I really hate how quick people are to encourage you to throw in the towel and reformat, even on an antivirus supplier's website. I think it's shameful.

If you've not yet done so, (I read only the second page of the forum) perform all updates, then schedule a boot-time scan. Avast's boot-time scan can eliminate most serious problems by nuking them before Windows actually starts. Make a note of any filenames which it states it is unable to remove for one reason or another. There are ways to remove these later, once we know where they are.

If you find things that won't move to the chest for whatever reason, download the latest Puppy Linux LiveCD (it's very small) burn it to a CD (burn image, not burn the file as a file......) and use the simple explorer interface to find and remove the files that you noted earlier.

One other thing you can try is a program called ComboFix. I use ComboFix as a sort of digital Drano to blast loose really severely clogged computers. That one's also worth a try. Once you use ComboFix to knock it free, the Avast boot scan will certainly fix the rest. There is some risk with ComboFix, but I've never had it make a problem for me yet. It fixes the computers that are so clogged they won't even allow Avast to run, because some viruses do that.

I am an Avast Reseller, and I believe wholeheartedly in Avast. Give it a chance to work before you exercise the nuclear option................

[Tarq57]

(I read only the second page of the forum)

Welcome to the forum, and how about reading the first page, and then come back and suggest a fix, please?
I'm very not keen of reformatting, also. But if programs won't run, it starts to look like an easier option, sometimes.
Depends on the user.

Lynn210,
I fully understand your preferring not to format. I can offer some limited advice. I'm not a formally trained anti malware jedi. (Yes, there are online schools for these. And a qualification. Not called "Jedi", though.)
Does this look like what you have?
Unfortunately the removal instructions rely on being able to use MBAM, which has been disabled.
I suspect this is a new variant of the "active security" malware, with a crypto/polymorphic component.

Have you had any success getting the re-named combofix to run? Someone else (hopefully) is waiting for that log, if available.

I'd try these steps in the order I've written them. You should only connect this computer to the net, and have the other computers firewalled from it, for as long as it needs to update security programs.
Did you try renaming the main exe of MBAM? That is an quick and easy step that may possibly work, and thus worth trying. If you are able to get MBAM to run, update it and perform a quick scan immediately, and at the end, select everything, then select "remove selected".

You could also try downloading Superantispyware, install and update it, and have it scan. Quarantine everything it finds. The installer can be downloaded on one of the good computers, to a flash drive, and then copied to the (disconnected) sick computer for installation. If it installs, connect that computer long enough for it to update.

This post, by one of the more experienced forum users, contains links to BART disk vendors. (They're free. Avast has a BART disk, too, but it's designed for system admins in a corporate environment, and pricey.)
Read the instructions on each site (I'd try Dr Web or Avira, first) on what to do, download and burn the disk on a good computer, and see how you go.

[polonus]

Hi Tarq57,

We have qualified malware eliminators aboard here, just a PM to essexboy and I know he would love to kill this one with the help of ComboFix or some other hogwart tools. Remember this is an ever evolving battle because the malware changes almost overnight, today's' ComboFix is not tomorrow's and sometimes have to be renamed to Gotcha or another random name, same goes for MBAM.
I would sure give this a try, because there is not a trace of a dangerous file-infector like virut that makes a "total recall" solution inevitable...

polonus

[Tarq57]

Thanks, D, I might just do that.

Lynn210, a link to a manual removal that worked (apparently) for one user.

[essexboy]

Hi lets have a quick look to see what you have

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll
%systemroot%\system32\drivers\iaStor.sys
%systemroot%\System32\drivers\nvstor.sys
%systemroot%\system32\drivers\atapi.sys
%systemroot%\system32\drivers\IdeChnDr.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /s
%systemroot%\*. /s /r

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

[Lynn210]

essexboy

This sounds great if I could get that far..

Once I execute a program it will not work anymore.
notepad is one of them
excel and so on


I did try changing the combofix name.. did not work..
reports it as an infected file as soon as it is clicked on.

I looked at the link for manual removal of active security

Sometimes I can get into task manager .. other times I cant I get a popup
saying it is infected too and cannot run..

I have found that if I move really fast after a reboot I can out run
this program.. but only for seconds.

Avast is putting everything into the vault.. so I am wondering if this is
also messing up my system files

I am trying a Repair for the original CD .. but get stuck at

iaStor.sys driver.. I researched it and all but haven't gotten anywhere

If I go to the one stored on my computer.. windows says it is "incompatible"

I can't find the file on my Dell resource file either... and windows repair will not bypass it
repair stalls..

[essexboy]

OK that tells me that , that is probably the infected file.  Can you run OTS ?
 

[essexboy]

If you cannot run OTS

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. 

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop.  Please open it with notepad and post the contents here.

[Lynn210]

What is OTS?

[Lynn210]

Do I include the quotes in the command?