Author Topic: One Nasty Virus/Trojan - Kills all virus scanners  (Read 135114 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #30 on: November 01, 2009, 12:09:43 AM »
Yes include the quotes, I posted the OTS instructions in my first post.  Here it is again

 To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll
%systemroot%\system32\drivers\iaStor.sys
%systemroot%\System32\drivers\nvstor.sys
%systemroot%\system32\drivers\atapi.sys
%systemroot%\system32\drivers\IdeChnDr.sys
%systemroot%\*. /s /r
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /s



  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #31 on: November 01, 2009, 12:11:01 AM »
While I am doing all this.. should I disable Avast?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #32 on: November 01, 2009, 12:11:40 AM »
No, no need for that

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #33 on: November 01, 2009, 12:22:17 AM »
As I mentioned earlier.. I tried a repair with the windows CD
and it stalled at ... iaStor.sys driver needed.
There was one on the computer.. tried it.. Windows says it is incompatible
Could not find one on my Driver CD that came with the computer

Now I cant get out of setup .. cant get the computer to boot
in safe mode or any other mode including "last configuration that worked"

Now what??


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #34 on: November 01, 2009, 12:30:10 AM »
Is this a Dell system ?

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #35 on: November 01, 2009, 12:37:14 AM »
Yes ... I just spent half hour there trying to find the driver

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #36 on: November 01, 2009, 12:40:10 AM »
I can't find the correct driver either as there are about 6 varieties for Dell - do you have a Dell driver disc? It will be in the sata/scsi folder (hopefully)

What is the model of your system ?

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #37 on: November 01, 2009, 12:43:08 AM »
Yes I have the Dell Driver Disc

It is an installation disk.. I tried to look at it on this computer
but was afraid it might try to install and mess this computer up.

The sick computer is a Dell XPS 410
Dell lists it as a XPS 410/9200



edifyguy

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #39 on: November 01, 2009, 12:58:29 AM »
I've yet to find an infection so bad that I had to go nuclear. I did deal with an infection that sounded very much like this one, and it was indeed tough to get around, as the virus prevented you from running anything it didn't want to have running.......such as anything that might get rid of it. It was a renamed ComboFix that broke its stranglehold and let me get at it. Have you tried renaming it something totally stupid, like, ert-y76p.exe? Does it even attempt to run when clicked, or does it just sit there?

Another option that I have used on a number of severely virused-up machines is F-prot for Linux running off a LiveCD. Try downloading Puppy Linux 4.1.2, burn the image to a CD (must be done with the "burn image" function, not just burning the file,) and boot from it. If you can get it to connect to the internet, (90-95% odds you can, if only wired) then the XFProt item on the menu will download the very latest version of F-Prot, and give you a skin through which to look at the output. I don't recall if there's any way to tell it to automatically delete the junk it finds, but it gives you a nice detailed log of what it finds, so you can address the problems it finds any of a number of ways. Puppy Linux is great for stuff like this as it's a quick download and it's very easy to get it live.

If it comes down to it, is there another computer you could simply add your hard drive to as a second and simply scan it with Avast that way?

edifyguy

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #40 on: November 01, 2009, 01:04:53 AM »
http://support.dell.com/support/downloads/driverslist.aspx?c=us&l=en&s=gen&ServiceTag=&SystemID=DIM_PNT_9200_XPS_410&os=WW1&osl=en&catid=&impid

There are drivers here for the Dell version you have

I believe this is the one you require

http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R158601&SystemID=DIM_PNT_9200_XPS_410&servicetag=&os=WW1&osl=en&deviceid=8615&devlib=0&typecnt=0&vercnt=2&catid=-1&impid=-1&formatcnt=1&libid=41&typeid=-1&dateid=-1&formatid=-1&fileid=211963

Let me know if it works and we will progress from there

iaStor.sys is the Intel SATA driver for MS Windows. You can't delete it or do much of anything to it because Windows depends upon it for access to the boot device. A virus that gets into that would indeed be very clever, and also difficult to remove, but I have my personal doubts as to whether it did. Still, using the update driver function to replace that file can't hurt, but the problem is that it can't do it live, so it gets the files ready, then reboots using the new ones. This behavior should theoretically lose a virus stored in the old version, but I can conceive several possible ways that it could jump into the new one as well. However, I'm not optimistic about that being your problem. Have you tried uploading a copy of it to www.virustotal.com? That'll give you a pretty good idea of whether or not it's part of your problem. Dollars to doughnuts it isn't. It'd be a very clever virus indeed that could tamper with that file and not give you a blue-screen-of-death before you even got the computer booted up.

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #41 on: November 01, 2009, 01:08:08 AM »
essexboy

The file you found is an executable.. it needs to be executed to get to the
driver.. and I suppose this needs to be done on the computer it is going to
be installed on.. which I cannot get to.

WIndowsXP repair is asking for a file.. I dont think it can read an executable.

Also.. It has been a very long time since I burned a CD .. and I have never
burned an image..

I have Roxio on this computer.. will that do it?

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #42 on: November 01, 2009, 01:18:46 AM »
essexboy

I have another disk that is for my hard drive .. it says it is a combo
drive and the disk is supposed to have the drivers.. but hear again
it does not list the driver as a file.. you have to activate setup
and so on

The disk name is WD Dual-option Media Center and Combo Drive

Installation and drivers..

My service tag number is F57KQB1
I think you can use it to see a list of all that is on this computer
It did not ask for a password or anything..

edifyguy

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #43 on: November 01, 2009, 01:19:28 AM »
essexboy

The file you found is an executable.. it needs to be executed to get to the
driver.. and I suppose this needs to be done on the computer it is going to
be installed on.. which I cannot get to.

WIndowsXP repair is asking for a file.. I dont think it can read an executable.

Also.. It has been a very long time since I burned a CD .. and I have never
burned an image..

I have Roxio on this computer.. will that do it?

I understand what he's trying to get you to do, and no, Windows repair won't use that executable, but you can use another computer to extract the files and then give them to Windows with a (write-protected, if possible!) thumb drive.

Roxio will burn the image very nicely, though I can't give you exact steps. Here's a link to the image I'd recommend: http://distro.ibiblio.org/pub/linux/distributions/puppylinux/puppy-4.1.2-k2.6.25.16-seamonkey.iso My recommendation would be to download this and make the CD on a different computer. Here's a link to a free CD image burning program that will assure that you correctly burn the image to CD: http://www.burnatonce.net/files/bao0995.exe Open the image in burnatonce, and tell it to burn. You can't get it wrong.

Once you get the Puppy CD burned, just put it in and boot the problem puter from it. (You might have to hit F12 during boot to get the one-time boot device menu.) Then use the "connect" icon on the desktop to establish an internet connection, and run the XFProt shortcut (Puppy menu>Utilities?>XFProt------going by memory here) to download the AV.

Lynn210

  • Guest
Re: One Nasty Virus/Trojan - Kills all virus scanners
« Reply #44 on: November 01, 2009, 01:26:48 AM »
OK .. I do use F12 to get to the boot menu

I don't have a "Connect" icon on my desktop

Will this mess up my connection for Windows?

If I could get this to run.. will that give you what you need to know what
to do to get rid of the viruses and trojans?

Then there remains getting the computer to boot up WIndowsXP