One Nasty Virus/Trojan - Kills all virus scanners

[Lynn210]

Here goes nothing

[Lynn210]

Going to take a break while it is scanning.. unless there is
something else you want done..

Meet you back here in an hour?
That last scan took 30 minutes so if this one is
doing archives I suppose it would take at least an hour.. no?

[edifyguy]

Could take longer, actually. This time around, it's very carefully analyzing every file for things that look like they would do bad things, which will likely result in a few false positives, but we'll root through that once it's done. The net effect though, is that instead of mostly just looking for code signatures it knows already are evil, it's actually analyzing code, and it'll take longer to do that way.

Also, that looks like the correct file. You're actually pretty good at this. Not everyone could do what you've done here. Give yourself a pat on the back. 

[edifyguy]

Wow.......thanks for uploading the chest log.........that was..........revealing. 

There were a number of files that were captured repeatedly, including the syssvc.exe that we were attempting to remove from the first scan around. It's part of a rootkit, a virus that installs as a driver, and those are very difficult to get rid of while Windows is running, because they're very difficult to unload while Windows is running, as they are highly self-protecting. Using Linux to work on Windows while it's offline is going to be our best shot.

I'm going to distill your chest log into a second removal script to make sure that none of these previously-known evil files are still hanging around. I think they likely have been removed with the exception of the syssvc.exe file, but better safe than sorry........

[edifyguy]

OK, here's a remover script for any stragglers that Avast found but F-prot didn't.

I get the impression that the syssvc.exe was the key foot-in-the-door that had your computer strangled. Just removing that will likely be sufficient to unlock Windows, but we're going to be thorough about this.

One thing I did out of curiosity is that this second script (run like the first: rename, right-click, window > terminal here, sh remove2.sh ) doesn't delete things, except for the contents of 2 temporary file repositories that should definitely be emptied under the circumstances. The rest it moves to a safe location so we can see if it did, in fact, find anything.

I look forward to the second scan logfile.

[edifyguy]

Curious.......it seems a few other people are following this, because the files get downloaded many more times than just by Lynn. Is this helping anyone else, too?

[essexboy]

Yep never used Linux in this manner before 

[Lynn210]

Yes .. we have quite a following it seems.

I saw someone using this Puppy Linux system on a different
forum when I was looking around for help..

OK.. the scan is running reaaaaallly slow... but it is still going.

Do you want me to run the second script now or wait till the scan is done.

[Tarq57]

Curious.......it seems a few other people are following this, because the files get downloaded many more times than just by Lynn. Is this helping anyone else, too?

Yep. Curious, want to see what is done. Learning.

[Lynn210]

Question...

I run several external hard drives on this computer.
I have disconnected all of them for now.. but will I have
to scan those before reattaching them once this computer
is back up and running..

What are the chances that this virus infected those files.

They are data files .. not program files or anything like that.

I keep all program and OS files on the main computer.. and then
all other files are stored external... I do that on all 3 of my computers.

I have had viruses before and they never infected the external drives
but this one is a devil... so was just wondering.

[edifyguy]

It is unlikely that your external drives have been affected, but possible, so once we get your computer running properly again, you will want to scan them carefully and not use them on any other computers for awhile. The likelihood is low of a problem, as what usually happens with these virii is that they seek out what looks like a Windows installation and implant themselves into that. Most viruses don't just stick copies of themselves in random stuff.....the goal is to have the code executed, not just to have lots of copies of it. So most viruses are choosy, and put their payload into files that will affect things, like Windows installations and sometimes programs. There's not much point in infecting data files, as they are opened, but not executed.

I'm glad that this is proving to be so educational for everyone. Like I said, I've got some tricks! 

I wouldn't bother with that script until the scan is done, as the hard drive is still read-only right now, remember?

[Lynn210]

I think I just messed up the scan

I was typing something to you and used a dash
seems using a dash is a no no.
anytime I do.... something weird happens and this forum
crashes

This time the forum crashed and I ended finishing what I was typing
in the scanning window.. it still seems to be wiggling but there is now a few letters after the wiggle lines.

What should I do?

[Pondus]

I'm glad that this is proving to be so educational for everyone. Like I said, I've got some tricks!  

I don't understand half of what you are doing but it is very interesting to follow...... .....

[Tarq57]

seems using a dash is a no no.
anytime I do something weird happens and this forum
crashes

I wonder if there is something not quite right with the computer you are using to view the forum? Apart from one server overload message here, about two hours ago, it's working fine, here. Perhaps you should use another browser or computer?
Check that cookies are allowed.
Dashes and all other regular punctuation markings are allowed.!@#$%^&*()_+/"etc

[Lynn210]

So .. to leave off.. once the scan is done
need to copy the log file to a permanent location..
send you a copy of the log file..

I follow the instructions to  change the hard drive to read-write
then run script one ... then script two

Since this scan is going to take quite a while.. I will take a break
and check back here every half hour or so to see if the scan is
finished..