Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Antivirus Pro - Can't run any programs


  • Please log in to reply
18 replies to this topic

#1 ElSeed

ElSeed

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 09 August 2009 - 07:57 PM

Hi,

I have to post this from another computer because I can't even open a browser on the infected one, it is infected with Windows Antivirus Pro. I found some guides on how to remove this but I don't seem to have any of the processes that are supposed to be running (windowsantiviruspro.exe, svchast.exe...) When this first started my antivirus warned me about a few programs that were trying to run (msb.exe, a.exe, b.exe, c.exe) all of which I chose to deny access to. I see those sometimes in task manager but even if I kill them I still can't run any programs. I can't run hijackthis, malwarebytes or windows defender. If I watch task manager when I try to run something desot.exe appears briefly then disappears and the program fails to run.

The computer is running Windows XP Pro, completely up to date as of a week or so ago when this all started, with Trend-Micro internet security, also up to date.

I'm afraid I'll have to reinstall the OS to get rid of this baddie. Has anyone ever dealt with anything like this before? Any help would be greatly appreciated.

Steve

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 09 August 2009 - 08:12 PM

Have you tried scanning in Safe Mode?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 ElSeed

ElSeed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 09 August 2009 - 08:23 PM

Forgot to mention that I get BSOD if I try to start in safe mode.

Also should say that I had been getting frequent BSOD on shutdown for a few weeks before this and it seems to have gone away now that the infection is in full force.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 09 August 2009 - 08:27 PM

VIPRE PC Rescue. This is a is a command-line utility that will scan and clean a computer which is so badly infected that programs cannot be easily run. Be sure to print out and follow the instructions provided on the same page.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 ElSeed

ElSeed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 09 August 2009 - 08:54 PM

When I tried that program the same thing happened, I could not run it, so I went and found desot.exe (it was in WINDOWS/System 32) and deleted it. Now, when I try to run a .exe file, instead of nothing happening, I get the "Choose the program you would like to use to open this file" dialogue box.

The only program I can run is OTM that I found in this guide:

http://www.myantispyware.com/2009/07/27/ho...l-instructions/

Renamed as a .com file it will run. The problem is that I don't have the same processes running that this guide shows.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 09 August 2009 - 09:01 PM

Skip to Step 2 (Repair running .exe files) on that guide.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 ElSeed

ElSeed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 09 August 2009 - 09:43 PM

:thumbsup: Doh! I gave up on that guide about 2 lines above that. It worked and I can run programs now. VIPRE is running now and finding lots of files. I'll get back on it tomorrow and let you know what happens. Thank you so much for your help.

#8 AtrocityExhibition

AtrocityExhibition

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 09 August 2009 - 09:51 PM

Sorry to butt in here, as it's not my thread, but ElSeed, you just perfectly described what happened to my computer. I think I'll take the steps in this thread.

ElSeed, thank you for describing exactly, whereas my post was vague. :thumbsup:

#9 ElSeed

ElSeed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 August 2009 - 09:14 PM

Ok, so I can run programs now but anytime I try to scan with something the program crashes. Windows Defender still won't start and if I try to manually start the service I get an error "access denied" message. Ad-Aware, Trend Micro and Malwarebytes all crash during scanning but Malwarebytes I was only able to run once because after that I couldn't start it again. I got a (paraphrasing) "could not find file or path....you may not have permission to view this file..." message.

What should I do next? HijackThis? I'll be back tomorrow night for more...

Thanks again.

Steve

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 10 August 2009 - 09:49 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 ElSeed

ElSeed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 11 August 2009 - 07:56 PM

I've run it twice. Both times it got to the same point in the scan (about a 1/4 through) and I got a BSOD.

I can run VIPRE all the way through and it detects 531 items but only quarantines one file and does nothing else. It finds backdoors, key loggers, downloaders, rogue security programs.... everything.

#12 KingTuttle

KingTuttle

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 11 August 2009 - 09:35 PM

ElSeed

I was coincidentally infected on the same day as you. I am suffering from almost identical issues (minus the BSOD) - nothing runs mwb, hjt, online scans, combofix etc. The ONLY program that was able to somewhat work (using the alternate start from the start prog angle) was superantisypware. However, it dies once it starts detecting rootkits. So I tried DrWeb's Live CD. *NOTE* even changing file names in everyway possible didn't work. Even funnier is now I cannot even uninstall the programs...haha bastards. :/ I am not sure if you have access to another computer but I made a boot cd with this tool and was able to clean up some crap which has allowed me more abilities than previous.

This is definitely a nasty varient of Windows AntiVirus Pro.

Also, I did do some research on the virus itself and did regedit work. This helped a lot but still the bastards exist to some degree. Altho once I went this route incidentally any .exe file wouldnt work after boot so I had to use exefix_xp to resolve that issue.

I write all of this because as I am following this thread and adding my experience (and pain) as I go.

Some additional symptoms I have noticed:

*iexplore.exe runs in the background (sometimes multiple iterations) without even showing up. It is definitely being hijacked.
*when I do run superantispyware it dies ALWAYS once it starts identifying Rootkits.

Ok...going back at it now...I will stay tuned.

Edited by KingTuttle, 11 August 2009 - 09:44 PM.


#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 12 August 2009 - 04:18 PM

You could try this Live CD scan:

http://www.freedrweb.com/livecd
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 ElSeed

ElSeed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 12 August 2009 - 09:45 PM

Slick. It's scanning now...been scanning for a while, I set it to scan all sub folders just to be sure. I'll see what happened in the morning.

I love that it runs linux from cd so it's not at the mercy of running processes and such. I have high hopes...

#15 ElSeed

ElSeed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 18 August 2009 - 10:10 PM

Just wanted to let you know I haven't given up.

Dr Web Live CD keeps locking up the computer on me. I tried System Restore but it could not complete the restore. I am trying a different restore point tonight...we'll see what happens. Does this virus screw with system restore too?

Is there anything else I can try?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users