Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected PC can't run combofix, malwarebytes, etc


  • Please log in to reply
4 replies to this topic

#1 resistol

resistol

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 25 August 2009 - 10:00 PM

This computer has an infection that seems to recognize all detection/removal tools, and it is not tricked by renaming files like combofix.exe -> random.exe

Craziest thing about it is that if I rename something like hijackthis, it will run for a moment, then the virus recognizes it, kills it, and won't let me open the file again. It learns to block the filenames - a windows error comes up with something like "cannot find the specified path or file" once the virus knows what I have renamed it to.

Background story:
I was handed a laptop that was getting to the welcome screen, playing the windows startup sound, and then just sitting there with a blue screen. I found that task manager worked, and i was able to run tasks using it. I can get to websites using the address bar in iexplore, but noticed google search result links were all being redirected. So I knew there was an infection.


I have tried:
combofix- when renamed to something like "abcd.exe" the little combofix loading box shows up, but when the command prompt window should appear, the program closes.
hijackthis - when renamed, hjt starts, but as soon as I start a system scan, it closes. If I try to open the renamed file again, windows says it cannot find it.
malwarebytes antimalware - i renamed the installer file, installed it to a renamed directory, renamed the executable, but it would not open. Instantly killed.
mgtools - same general idea
superantispyware - same
sdfix, smitfraudfix - same
rootrepeal - same
runscanner -same

I gave up on this for the time being, went to online scans - pc cillin, and one other - both of them gave me errors when they tried to scan.

I tried searching for all files created in the windows folder in the last day, deleted all suspicious files. Noted that braviax.exe kept coming back.
Tried removing all registry entries related to braviax, also noticed that winlogon shell entrie had some other stuff after "explorer.exe" so i removed that stuff.

Still no luck running any scans, no luck fixing anything.

I just now saw a link for RegistrarLite but don't have the computer again until tomorrow - has anyone had any luck with this?

Or does anyone have any other ideas? Thanks in advance.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 dpunisher

dpunisher

  • BC Advisor
  • 2,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South TX
  • Local time:10:13 AM

Posted 25 August 2009 - 10:15 PM

I tangled with a new variant of the Braviax a couple weeks ago on a customer's Dell. I have been doing this for awhile and this was one of a few to beat me. I disabled the Braviax easily but couldn't fix all of the changes and disable/delete other malware that got downloaded. I removed the drive, hooked it to a USB adapter, hit it with every scanner I had, no luck. I finally got smart, backed up 14 gigs of user docs and pics, formatted and reinstalled XP. Sometimes it's the best way, but I still hate getting beat by that stuff.

EDIT: I tried every trick I knew to get ANY antivirus/malware scanner to run, and it was a no go. I could eventually install Malwarebytes but it would run for 10 seconds, stop, and spit out a clean log.

Edited by dpunisher, 25 August 2009 - 10:21 PM.

I am a retired Ford tech. Next to Fords, any computer is a piece of cake. (The cake, its not a lie)

3770K @4.5, Corsair H100, GTX780, 16gig Samsung, Obsidian 700 (yes there is a 700)


#3 tehfetus

tehfetus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Magalia...
  • Local time:11:13 AM

Posted 26 August 2009 - 02:29 AM

Might I ask exactly where you found the braviax files and what OS you had?

#4 resistol

resistol
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 26 August 2009 - 10:24 AM

Might I ask exactly where you found the braviax files and what OS you had?


I found them in c:\windows and in c:\windows\system32

#5 resistol

resistol
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 26 August 2009 - 10:26 AM

I also wanted to note that when I run combofix (I run it as random.exe), the loading progress bar thing happens, then nothing else - but the process itself "random.exe" stays in the task manager's process list, it just doesn't do anything




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users