Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro has many variants- This one is killing me!@!!!


  • Please log in to reply
4 replies to this topic

#1 New Hampshire Pete

New Hampshire Pete

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 30 November 2009 - 11:49 AM

Hi
I've been dealing with this problem for days. I am pretty good at computers and have peeled some of the layers of this virus but could use some further help. My XP install is still dangerously infected and it seems only sensible not to go on the Net while in this state. Therefore, I've booted into Linux at the moment and I am able to do research and communicate with Forums.

Some comments and learning curve stuff:

Mcafee blissfully ignored the original infection and subsequent scans revealed nothing. The Website at least acknowledges the existence of the virus but makes reference to their "Current Dat." as the solution. Wrong, Wrong, wrong! I am mildly pissed at Mcafee.!!

Malwarebytes did pick up some infections in the registry and files. Having researched the Web extensively it almost seems senseless to name them specifically because I've seen many variations in registry Key names and filenames reported by other victims. This virus is quite the chameleon.


I've learned that if you attempt loading Taskmanager while the machine is still booting, it's possible to get it running before the virus is full operational.

In Taskmanager I've noted a suspicious Process named "vmcisysguard.exe". Upon stopping the Process the machine will allow me to load any program. I still get the stupid infection warnings and it will occasionally load IE, but at least I can dig deeper into the problem. It's interesting to note that repeated searches of my hard drive have not revealed the existence of this Executable. Also, a Google search on this Executable came up almost empty. There is reference to "Vmci" but that turned out to be a product for large-scale deployment of databases across the Web. Maybe a piece of THEIR product was hijaacked?? Google showed that Bleepingcomputer.com had references to the file but when I ran down the link nothing was found.

Another item worth mentioning is the file "wmiprvse.exe"'. This is a Microsoft program titled "Windows Management Information." It's used in an enterprise environment to query and set up desktops, databases, and other enterprise components. It's also apparently a target for hijaacking by viruses. Althoough multiple copies can be found in Taskmanager, I found dozens of them. Only one listing appeared but as I ended the process another one would replace it with a different PID. I tried searching and then renaming the file in multiple locations on the hard drive. A reboot would cause it to reappear and Event Viewer Info showed that the "file had been modified and a new copy was installed from Restore." I'm not sure if this is significant.

As I dig deeper and (hopefully!) learn more I will report it here. However, if anybody has further insight I sure would appreciate your assistance.

Thanks in advance!!

BC AdBot (Login to Remove)

 


#2 heshie75v

heshie75v

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 30 November 2009 - 12:38 PM

Hi, my advice to you is to download and run HiJack this..and run a scan...I am sure that one of the people here on the forum will ask you to this...Might as well get started.
Unfortunately I do not know how to read the results of the scan.
Good Luck
Herman

#3 New Hampshire Pete

New Hampshire Pete
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 30 November 2009 - 12:44 PM

Hi Herman

Thanks for the Heads up. I'm a little familiar with Hijack but somehow I thought it was NOT free. I definitely will check into this ASAP.

Pete

#4 New Hampshire Pete

New Hampshire Pete
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 30 November 2009 - 01:00 PM

Some interesting new developments. Msconfig revealed that vmcisysguard.exe was being loaded at Startup. It also conveniently provided the path to the EXe. Despite Windows Search not reporting the existence of the file (With Hidden Files and System Files turned on) I ran down the path and voila! there the file was. FYI (maybe!) the path is as follows. "c:\documents and settings\pete\application data\vdcwwp." Obviously Pete needs to be substituted with your own logon name. Also, as I've indicated earlier, there are many variations of Antivirus Pro. And these don't appear to be randomly generated filenames as some viruses use. But I would be intrigued if someone else came across this same file. Learning Curve! Yaknow??!

Before I deleted the reference in my Startup and the file and it's folder, I turned off System Restore for all drives. This switch can be found in Control Panel/ System/ System Restore. I've done this on the advice of someone on another site. Their contention was that Restore files could be hijacked and every time the suspect file was deleted it would be rebuilt by Restore. A Disclaimer!!!! At least that is my understanding..... I am open to any and all corrections about this point.

Anyway, right now I'm running in XP with no apparent difficulty. I will however download Hijack and report the results. I know I've got my fingers crossed. Later....

Pete

#5 New Hampshire Pete

New Hampshire Pete
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 01 December 2009 - 11:49 AM

Well I downloaded and installed HijackThis. It's an excellent program, really probing most aspects of the Windows environment. There were things I didn't understand but going on the Net showed me what I needed to know. The upshot of all this is that I apparently was successful removing Antivirus Pro without having to rebuild my computer. It's a huge relief but what I wanna know is why a supposedly superior product like Mcafee did not catch this before the damage was done. If I'm able to find an answer to this question I'll let ya know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users