Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus stopping me from using antivirus


  • Please log in to reply
6 replies to this topic

#1 FreakingSabia

FreakingSabia

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 08 July 2009 - 03:24 PM

Virus obtained from a website, loading up the page the virus auto-downloaded a program which i tried to stop but apparantly failed.

When I noticed i was infected i tried to run MBAM, but the program would not open, trying again multiple times, still would not open. Opened task manager to check for anything suspicious, on the list MBAM was there multiple times, ended those and still would not work.

Found hidden file in application data 10007184 which contained the antivirus agent pro program and deleted it

Found suspicious .exe and ended them suspected part of the virus file. Wmiprvse.exe and Wuauclt.exe

Virus name was anti-virus agent pro. With SpybotSD, SAS, and MBAM not working i tried to run AVG, which did work.
AVG got rid of most of the files but cannot get rid of the rest of the virus and none of the other software will not open.

AVG log cannot be posted at the moment since I am in safe mode.

Tried to uninstall MBAM and reinstall but the installation program will not run. again the installation program is still on the task manager list.

Symptoms of the Virus:
Unable to run antivirus
unable to install programs
clicking on websites causes a new tab to open up with an ad on it
viewmgr from viewpoint encounters a problem and ends at start up
computer occasionally freezes
occasionally get blue screen at start up but hasn't happened recently

AVG could not remove:
C:\Windows\Explorer.exe (1848)
C:\Windows\System32\Svchost.exe (1116)
C:\Windows\System32\Svchost.exe (1164)
C:\Windows\System32\Svchost.exe (1596)

Suspicious software:
Wmiprvse.exe
Wuauclt.exe

Rid of registry and start up:
Brastia
aap C:\program Files\antivirus Agent Pro\aap.exe
protect
b


Currently day 2 of having the virus and working on it

Edited by FreakingSabia, 08 July 2009 - 03:35 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 08 July 2009 - 05:30 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 FreakingSabia

FreakingSabia
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 08 July 2009 - 09:36 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/08 22:35
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\windows\ntbtlog.txt
Status: Size mismatch (API: 732642, Raw: 732518)

Path: C:\WINDOWS\system32\hjgruiavrdaxjs.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruikhbakyxp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruipfdijkty.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruitmxodbvm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACarefepscdmccbon.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACckctvusrsglsltk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdxtmvceabartaex.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACidufyvklnpvymqw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACiyotxjtakvdmmhm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmidtddygheejxvj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwncdetdrcmkdbbr.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb17d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruihntiwprmit.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiynkbxdsvrc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACutunalndorwyllg.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruiylkxefuj.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\brian\local settings\temp\~df6ffc.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\brian\local settings\temp\~df9c82.tmp
Status: Allocation size mismatch (API: 24576, Raw: 0)

Path: C:\Documents and Settings\Kevin2\Local Settings\Temp\UAC79c.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{AA0C1B69-6C30-11DE-B854-00038A000015}.dat
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AA0C1B6A-6C30-11DE-B854-00038A000015}.dat
Status: Visible to the Windows API, but not on disk.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 08 July 2009 - 10:12 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\drivers\UACutunalndorwyllg.sys
C:\WINDOWS\system32\drivers\hjgruiylkxefuj.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 FreakingSabia

FreakingSabia
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 08 July 2009 - 10:39 PM

Problem solved.

I would like to say that i am grateful that there are people, and a website like this to help people like me with their computer problems.

Thank you for your help.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 08 July 2009 - 10:44 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 wazndude77

wazndude77

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 08 July 2009 - 10:47 PM

By the way, If you Do get infected again and it does not allow you to run any anti virus, Just rename the program to something random generated letters and it should run just fine...In most cases.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users