One Nasty Virus/Trojan - Kills all virus scanners

[Lynn210]

XP SP3 wont install.. I get an error that just says

There was an error installing SP3 click ok to undo
changes etc.

Now what?  What could be keeping that update from installing?

-++++-----

By the way.. Avast updated itself today and announced it ok
and the ball is finally spinning around again every now and then.

So maybe I won't have to reinstall it.. what do you think?

-----------------------

Well apparently WIndows cant clean up too good after itself.
As soon as SP3 supposedly  ..returned the system to the state it was in before
it tried to upgrade.. I got another error saying that XP was partially upgraded and may not work right anymore.. or something like that.

Well its trying to reboot and is hung up .. I will give it some time then
turn it off and back on.. so much for updating.
 

Had to turn it off and back on.. took a while but finally boot up

Ran Eusing.. it found 977 items.. looked through them.. most of them looked
legit as far as I could tell.. old uninstalls.. pieces of net frame that went with the missing pieces.. pieces of rar files.. and so on...

Is it safe to just select them all and let the program clean up.. I have never
seen so many errors from a registry cleaner before.

[edifyguy]

There are actually several things that could be keeping SP3 off, but do bear in mind that SP3 is a low-importance update.

Here's a more important thing you should do: Start > Run... > "sfc /scannow" [enter] which will verify the integrity of all the system files. It's a bit like a repair install without doing a repair install. I think you may yet be missing a few vital pieces of the puzzle. After it finishes, reboot. It will almost certainly want the CD back, too.

If all else fails, and sfc /scannow doesn't resolve your issues with things, you might have to do another repair install now that the virus is gone to fix the damage the virus did afterwards, but not too likely to be necessary.

I usually let Eusing fix everything it offers to fix. I have seen Eusing toss over 3000 dead keys, and the system was better for it, not worse. In your case, you really haven't got much to lose anyway, but it should be fine.

How did the .NET remover work for you? Did it kill it? Doth it yet torment thee, fair maiden?  Or hast the dragon been slain?

Avast either works or it doesn't. If it's working, I'd leave it to its work. As the system completeness and stability increases, it should work better. One thing you might check is the level of security. It may be turned down low by the virus to try to go unnoticed. Avast is usually pretty clever about its self-protection, though.

When SP3 quits its installation, it should throw at least one error code (ex: 0x3076a203) if not several. Those codes can be used to determine what is preventing it from working. Can you get those codes down next time if it bombs again? I think once you run sfc /scannow and reboot it will probably go, but if not, those codes will be a lifeline.

[Lynn210]

What is the purpose of Windows 3.1 Installer?

---------------

I have not done the .NET framework .. so which should I do first..
Eusing.. SP3 again.. or .NET tool..

-------------

System still wont let me re-install programs that were on it when infected.
I was able to install NEW programs .. so something is blocking install.

Curious that new stuff will install and not the old..
-------------------
Running sfc /scannow
It did ask for the repair disc.. said some dll files were missing.. looks
like it is installing those.. very slowly...

It is 3AM here.. so I think I will call it a night and work on the other stuff
between working for a living tomorrow.l

By the way... what area of the US do you live in.. it would help to know which
time zone you are in.. I am EST .. FLorida

[edifyguy]

I'm also in EST and awake at an unreasonable hour for various reasons.  

I suggest doing the .NET removal tool once sfc /scannow is done, then Eusing, then reboot.

If Windows is trying to get you to install Windows Installer 3.1, DO THAT NEXT. Nothing that used the Windows Installer service (including likely Windows Update) will work right if Windows Installer is messed up. Reinstalling that may make a world of difference in how things go in this fight.

Then try the .NET installation package, it should go fine, then see about the old programs you're trying to reinstall. It may be issues with the Windows Installer, or it could just be that it has some but not all pieces installed and it wants to uninstall before reinstall, and hence is stuck. Many popular commercial applications also have removal tools available; search the manufacturer's website for them. You can always manually uninstall......but that's not any fun........

One thing that might help you out now is to look in C:\quarants and move the folders in there back into C:\Program Files to repair some of the missing stuff that we created semi-on-purpose. Don't put the "Active Security" one back in there, if it's in C:\quarants...just delete it. You also don't want the loose files back....most of them were contaminated. However, moving the other folders back to Program Files should help in your quest for restored functionality.

One last thing.......I suggest you DON'T put SP3 on that box. I talked to someone recently who has done this longer than I have and he said that SP3 doesn't work well on XP Media Center Edition. I guess it makes it very strange and unstable or something......SP3 is not important anyhow, as I mentioned before. Just don't let it install it through Automatic Updates. Use the "Notify me...." setting and uncheck its box.

[Lynn210]

I did some research on SP3 before I installed it on that machine and did not
like what I read.. however the darn thing kept asking so I let it do the install.

I believe there was something that would not run without it.. maybe IE8

Anyway.. once installed .. SP3 cannot be uninstalled I think..

sfc finished.. I rebooted before I saw your message.

------------------------------
Where do I find WIndows Installer..

----------------------------------
There isn't much in quarants

folder DivX
folder NetConceal
folder ShowAnalyzer
avuriqur.dll
blackbox.dll
ftp.exe
fxsclnt.exe
ieapfltr.dll
ISSetup.dll
kernel32.dll
LegitLibM.dll
PEV.exe
sessmgr.exe
StatusClient.exe
tscupgrd.exe
Win32kDiag.exe
winlogon.exe
winsock.dll
wsock32.dll
---------------------------

I'm like  you.. up and down at all hours..
Haven't gone to sleep yet today though.

One of the nice things about working at home is you can make all
these odd hours ..

-------------------------------------

Found Windows Insaller and downloaded it without a problem..
Looks like it installed ok too..
Now to try installing something..
----------------------------------

Still cant get the old programs to reinstall.. must have something to do with
the virus.. cause I noticed .. what I was running when it hit is ok.. and new
installations seem to be ok .. but not the programs that were on the computer
during the attack. 
-------------------------------
Going to do the .NET program .. Eusing ... .NET reinstall

-----------------------------
Reboot then try Windows update again ..
-----------------------------
Then try to install again.. if that doesn't work.. I will try uninstalling the
programs .. run Eusing for cleanup.. reinstall.
------------------------------

[Lynn210]

Well.. this does not look good.. Ran .NET cleanup tool
Ran Eusing.. it found 1274 items.. told it to repair.. all the issues disappeared
and the program locked up?  

Let it sit there for half an hour just in case it was doing something I could
not see... used task manager to end the program.. ran it again .. this time it
only found a few items... 12 .. files all made sense.. ran repair.. this time it finished ok.. ran it again... REBOOTED

cli.exe application error
The application failed to initialize properly (0xc0000135). Click on OK to terminate the application.

---------------------------------------
Running .NET reinstall now.. got past first hurdle.. seems to be going along
ok...

Spoke too soon.. did not get very far.. about 1/3 of the way and got an error
message..

.NET Framework has encountered a problem and needs to close. We
are sorry... blah blah blah

data within the error that they want me to waste my time sending to MicroS

EventType : clr20r3  P1 : servicemodelreg.exe  P2 : 3.0.4506.648
P3 : 470e4746  P4 : servicemodelreg  P5 : 3.0.0.0  P6 : 470e4746
P7 : 2b  P8 : 1e  P9 : system.typeloadexception

Then when you look at the actual report they want to send to microsoft
it is EXTREMELY long and they dont let you make a copy for yourself..


If that means anything to you let me know.

Clicked on the ok it ran some more then got another error message

setup.exe
EventType L visualstudio8setup P1 : 14001  P2 : 3.5.21022.08_orcas_x85_net
P3 : mc  P4 : inst  P5 : f  P6 : dd_ca_installxwsregexe_x86.3643236f_fc70_11d3
P7 : 0  P8 : 1603  P9 : -  P10 : gencomp780_{12cd

-------------------------------------
I also got an error log .. attached


---------------------------------
Right now I am going to reboot and try Windows update
then try .NET again

---------------------------------
I could try a repair again...  

[Lynn210]

Well .. I was able to access updates online.

I am doing all the updates now..

I did SP3 only because it was already on the machine .. and is needed
for some of the software on here.. mainly IE8

So far so good..

There are 57 other "high priority" updates that MS says I need.. they are next.

Install was successful it seems.. it is now rebooting.. Much faster than before
but still alot slower than this computer..

Once it finishes rebooting.. I will do the other updates.. then try installing .NET again... although the updates should do that no?

---------------------
Got that mini boot screen again and an error message
Update Windows: msoobe.exe application error
The instruction at 0x604a29b6 referenced memory at 0x00000000 The memory
could not be read.

I clicked cancel for debug.. which does not usually work.. now it is hanging there trying to log on.. .. welcome has appeared... but not starting up yet.. seems to be looking for something ... hourglass pops up now and then.. waiting... waiting.... here comes ... my desktop... now the yellow shield is finally showing in the task bar!! That is some success I guess..
Will do the rest of the updates at microsoft then see what happens.

[Lynn210]

Downloading all the updates in the yellow shield.. .NET framework was in the list.. maybe this time it will install.. we shall see..

[Lynn210]

Have made several trips to microsoft updates online..

Think I almost have all of them installed..
JAVA updated itself ..

took several tries before .NET installed.. but I think it finally has via
Micro online updates.

Guess I should run Eusing again..

Then try using my programs.. see if they need reinstalling or if they were missing something from windows to make them run.

------------------------------

Do you think I should run the virus/malware programs to make sure all
is well?
------------------------------------------

I could not get Disk Defragmenter to run
------------------------------------------

[Lynn210]

OK Got all the updates installed.. microS says there are no updates that I need.

Tried one of my programs.. it worked.. however not perfectly..
It locked on one of my external hard drives.. so I had to shut down.. disconnect
the drive to get it released.. now I am waiting to see what happens.

--------------------------

Alot of my desktop icons disappeared..

I keep getting a notice when I reboot
Could not reconnect all network drives..

----------------
As part of my routine I run Malwarebytes .. and CCleaner at least every
couple of days on this computer.. is Eusing safe enough to run that often.
I find the if I run a registry cleaner often.. I can decipher what it says much
easier.. most of the time it is something I have uninstalled.

-----------------------------
Avast is my anti-virus..this computer needs fairly high amount of protection.. it does all my downloads .. what settings do you recommend?

I dont usually keep Spybot and Adaware active.. I usually
uninstall them and only use them once in awhile.. they seem to slow things down.
Speaking of which.. IE8 is working great.. Firefox is still sluggish.. I am going to try uninstalling it and reinstalling it.
-----------------------

Need some suggestions here..
That drive that got hung up... still cannot access it.. something is keeping it
running.. the light is flickering.. when I connected it Windows recognized new hardware and all .. and added it to my list of hard drives but without any data next to it .. size.. avail space etc.. I dont want to lose the stuff that is on that drive..
HELP!!!!

This is what happened.. it connected fine.. I accessed it with one of the programs that would not work before.. a program that checks for "empty folders" .. it scanned the drive and found and listed all the empty folders... then I clicked on one of the empty folders and then went to the desktop link that usually took me to the directory containing the empty folder .. that is when it locked up.. desktop link would not work and would not release.. now I cannot get access to this drive.
The drive is active.. something is accessing it.. When I try to stop it with "SafeRemove" it says the device cannot be stopped because a program is still accessing it..

While I wait for your reply I am going to shutdown the comptuer.. disconnect the drive again and see if it will work on another computer..
------------------------------------------
Does not work on this computer either.. Windows sees the drive.. adds it as hardware.. but cannot access the drive.. "Error performing inpage operation"

On this computer at least the drive stops running.. I see it in Device Manager
says it is healthy .. shows the total size.. same with Disk Manager..
My computer shows the drive without any data about size or available..
--------------------------------------------

[DavidR]

It looks like you might be getting close to the end of your journey (I hope) and one I'm sure you don't want to embark on again. So when there, you should consider a robust backup and recovery strategy to recover from computer problems no matter what they might be.

-- SYSTEM BACK-UP & RECOVERY
If you fail to plan, then you plan to fail.
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.

1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.

I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.

So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.

Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.
- Free EASEUS Partition Master http://www.partition-tool.com/personal.htm this also allows for disk copying.

[Lynn210]

DavidR

That's all very interesting if I knew how to do it I would..

First.. the only thing I keep on the computer itself is the OS and program files.

Non of my data files are resident.. they are all on external hard drives...

I would love a nice easy system like you mentioned.. care to share how yours
is set up and what you are using? Is your system a Windows XP system?

[DavidR]

Well this really isn't the place (as it would be off-topic), but really there isn't that much to it, the main thing is selecting the tools and there are more backup tools out there (which will backup data files, etc) along with hard drive imaging tools than you can shake a stick at (google).

So I can only say what I use (in my signature), but my backup although simple once I have it setup is a little complex to setup as you have to know where the files you want to backup are as I use a little tools called Mirror.exe and it requires you create a batch file for the run commands which copy folder contents (so you have to have some structure to where your data is stored) to a folder on another HDD. This creates an exact mirror as any file deleted in a source folder would result in the file in the destination folder also being deleted. Only modified/new files in the source folder/s are copied to the destination folders.

[Lynn210]

DavidR

I used to have backup set up like that.. Iomega has a program that comes with their external drives that do what you say.. I did daily backups.. and like you said there is tons of software out there.

I use WD hard drives now.. 1 TB each

My thing is that I don't quite understand how a software program can take a picture of your entire system accurate enough to be able to save a computer from what I just went through..

I suppose System Restore is basically doing exactly that.. but System Restore is extremely unreliable and very rarely works.

[DavidR]

It captures a bit by bit image (I don't know the technicalities of it and don't really need to) of the drive and restores an 'exact' image of what your system was at that point in time when you ran the imaging software.

System Restore is less than perfect and only protects certain things, it isn't a patch on drive imaging software. I have had system restore disabled on my systems for years, trusting in my drive imaging software, which has hauled my butt out of the fire on a number of occasions (none virus related).