BleepingComputer.com: Unknown virus kills and corrupts antivirus.

Here is my original thread

AVG, MalwareBytes, Super AntiSpyware, and GMER all crumble before this mysterious virus. AVG's real-time scanning is disabled, and if I run a scan, it completes after checking zero files saying no threats found. When scanning with Super Antispyware, MalwareBytes and GMER, they all start searching for a few seconds then get terminated and the executables become corrupted (kind of. The error message received when attempting to open the file again is "Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item.")

GMER lasts longer because it scans other entries before scanning "Processes." I'm pretty sure the other two scan processes very early in the scan (within seconds). But once it scans processes, like the rest, it gets terminated and corrupted.

I believe the culprit here is the file C:\Windows\3517402925:3534772270.exe - 464K

Unfortunately it will not show up in the log I attach since as soon as it goes to processes, the program gets terminated. You'll see in my aforementioned thread that while GMER was scanning "Files", it did find the file (C:\Windows\3517402925:3534772270.exe) and it lasted for about 10 seconds, but then got terminated and corrupted.

HALP!

 GMER.txt (16.12K)
Number of downloads: 1

This post has been edited by Putrid: 10 November 2011 - 03:10 PM

Hi,

could you please try to run a scan with OTL:
We need to create an OTL Report

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized

Sorry for the delayed response

 OTL.Txt (66.22K)
Number of downloads: 1
 Extras.Txt (39.69K)
Number of downloads: 0

Also a new development, the buffoon using the workstation installed "Privacy Protection" which appears to be easily dealt with by MalwareBytes but, alas, that is not an option yet.

I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:

• There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  
• Any infection could jump terminals in a computer network.
  
• There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  
• Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  
• There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  
• Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  
• The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  
• In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

Technically, I am their IT "professional".

Oh and there is no proprietary information on this machine, there are no legal issues with this.

Hi,

please try to be a bit more respectful of your users then at least. They may be unable to remove the malware, but that's also not what they get paid for...

Please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
  Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

Oh, no, they're entertainers. It's a party entertainment company. Clowns and magicians.

It looks like ComboFix resolved the issue of the mystery file. It also came up with a message saying the station was infected with "rootkit.zeroaccess" and prompted a reboot. I haven't proceeded further yet, I'm waiting on your instruction.

Also curious why it uninstalled the old "Helper" program.

 ComboFix.txt (78.04K)
Number of downloads: 3

Hi,

this looks like a false positif from ComboFix. Could you give me some more info on the program, as to better establish what it is?
You can restore by moving the files back from the quarantine into the folder:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

This post has been edited by myrti: 12 November 2011 - 08:56 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.