Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified infection disabling all antivirus programs.


  • Please log in to reply
10 replies to this topic

#1 garriottfan

garriottfan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 08 August 2009 - 01:09 PM

I recently became infected with something.
I am running Windows XP SP3.

The first thing I noticed was a prompt that Windows Firewall had been disabled.
Secondly, Lavasoft Ad-Aware said that it had identified a process associated with a trojan (I didn't catch the name), and was blocking it.
Lavasoft Ad-Aware crashed shortly afterword.
A rogue antivirus program popped up a short minute later, but this was easily disabled, and has caused no further problems.
All I had to do to fix that was delete a.exe and msa.exe from a certain system folder.

But...
It doesn't end there.

Systematically, as I tried to use all my other usual security programs, including Spybot, AVG, Windows Defender, SDFix, HJT, and Combofix, they would all run once, and then crash mid-scan, and cease working completely. Windows Defender gave an error regarding the service for it being stopped, and I am unable to manually restart the service via control panel. The other programs give errors with the common theme of "access denied".
Whatever this thing is, it has completely nuked the executables for the above mentioned antivirus programs.
I don't know how, but the access privileges have been changed in such a way so that I can't even delete these files, or overwrite them in a reinstall.
This is the first time I have been completely unable to open ANY of my usual antiviral programs.

I wish I had more information to give, but I don't. Whatever this is, it's extremely illusive.
I do not know where I contracted this, or even how to identify it, but am very worried by how it managed to fly by every single security measure I have installed.
Any help as to where I should start will be greatly appreciated.

Edited by garriottfan, 08 August 2009 - 01:11 PM.


BC AdBot (Login to Remove)

 


#2 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 08 August 2009 - 02:42 PM

I should add that I was also unable to access the antivirus executables in BartPE, with the same access denied error message.
This indicates to me that it has nothing to do with the virus process preventing me from running it, but that it actually damaged the executable itself somehow.

I'm really at a loss for words here.
I can't use -any- countermeasures to fix this crap, it's killed every program in the book.
Anyone have any ideas?

#3 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 08 August 2009 - 04:24 PM

I've made a tiny bit of progress.
I've found out that I can remove the files using gmer, and then reinstall the programs, and make the .exe files read only, preventing them from being messed with. I've fixed Spybot, Ad-Aware, Windows Defender, Malware Bytes Anti-Malware, and HJT using this method.
However, despite not being overwritten they are still shut down any time I try to scan things.
AVG I cannot fix, due to a registry error during reinstallation. It's definitely being blocked by something.

I still can't get combofix to work, at all.


*edit*
Nevermind.
It rewrote all of them after a restart.

Edited by garriottfan, 08 August 2009 - 04:34 PM.


#4 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 08 August 2009 - 05:02 PM

Tried using RootRepeal, it got killed too.

#5 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 08 August 2009 - 09:44 PM

Uh, anyone?

#6 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 09 August 2009 - 12:04 PM

Bumped for help.

#7 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 10 August 2009 - 08:25 PM

Bumped again for help.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:19 PM

Posted 10 August 2009 - 08:45 PM

You are supposed to boot to the BartPE disk

Here's another option

http://www.f-secure.com/en_EMEA/security/s...e-cd/index.html

I spent a couple of hours checking 4 or 5 of these linux bootcd's, this was the only one with a current update that you could load from a usb drive

It would be easier to just reload the computer

You could wait until a fix for this infection surfaces.
Chewy

No. Try not. Do... or do not. There is no try.

#9 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 10 August 2009 - 09:07 PM

You are supposed to boot to the BartPE disk

Uh, I did.
How else could I possibly have used it?

Here's another option

http://www.f-secure.com/en_EMEA/security/s...e-cd/index.html

I spent a couple of hours checking 4 or 5 of these linux bootcd's, this was the only one with a current update that you could load from a usb drive

It would be easier to just reload the computer

You could wait until a fix for this infection surfaces.

I don't think any other sort of Live CD environment would help, either.
My problem is that I can't even identify this thing.
It's very frustrating.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:19 PM

Posted 10 August 2009 - 09:24 PM

You have to use a clean computer to download and burn the live cd's on.

That's a given.

I found one thread where an advanced user has run 2 seperate rescue disks(kasp and avira) and made enough progress to get DDS to run
Chewy

No. Try not. Do... or do not. There is no try.

#11 garriottfan

garriottfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 10 August 2009 - 09:29 PM

You have to use a clean computer to download and burn the live cd's on.

That's a given.

Hm, I suspected as such.
Will be a pain in the --- to do, though.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users