Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Live removal-followed all suggestions-nothing works


  • Please log in to reply
12 replies to this topic

#1 bewines

bewines

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 05 January 2010 - 08:02 PM

I found your site when I searched for a removal of Antivirus Live.

I downloaded the rkill.com and the malwarebytes and followed all the directions to remove including rebooting into safemode with networking. I have manually deleted the registry keys that I found that were listed. I have noticed that each time I run the rkill.com the computer restarts instantly and I suspect that it is not really killing the process that is keeping this program running.

I am constantly getting the error messages that the whatever I am trying to launch is not working and to close the program.

I have tried all types of the rkill file... .com .scr .pif. exe. Nothing seems to work.

Malwarebytes found files to delete and I did all of that. I still have the same problems. I am not having a problem with the proxy settings being hijacked any longer.

I don't know what else to try. I have downloaded and tried pc tools spyware programs and other spyware and virus programs. Nothing is stopping this.

What next?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:07 PM

Posted 05 January 2010 - 08:32 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 05 January 2010 - 11:32 PM

Hello please run this then reun MBAM. i will look back in the am.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 bewines

bewines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 January 2010 - 06:18 AM

05:13:26:895 3124 OS Version: 6.0.6001 ServicePack: 1.0
05:13:26:895 3124 Product type: Workstation
05:13:26:895 3124 ComputerName: WINES-PC
05:13:26:895 3124 UserName: BossAdm
05:13:26:895 3124 Windows directory: C:\Windows
05:13:26:895 3124 Processor architecture: Intel x86
05:13:26:895 3124 Number of processors: 2
05:13:26:895 3124 Page size: 0x1000
05:13:26:895 3124 Boot type: Normal boot
05:13:26:895 3124 ================================================================================
05:13:26:895 3124 ForceUnloadDriver: NtUnloadDriver error 2
05:13:26:895 3124 ForceUnloadDriver: NtUnloadDriver error 2
05:13:26:895 3124 ForceUnloadDriver: NtUnloadDriver error 2
05:13:26:911 3124 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\Drivers\KLMD.sys) returned status 0
05:13:26:911 3124 main: Driver KLMD successfully dropped
05:13:27:004 3124 main: Driver KLMD successfully loaded
05:13:27:004 3124
Scanning Registry ...
05:13:27:004 3124 ScanServices: Searching service UACd.sys
05:13:27:004 3124 ScanServices: Open/Create key error 2
05:13:27:004 3124 ScanServices: Searching service TDSSserv.sys
05:13:27:004 3124 ScanServices: Open/Create key error 2
05:13:27:004 3124 ScanServices: Searching service gaopdxserv.sys
05:13:27:004 3124 ScanServices: Open/Create key error 2
05:13:27:004 3124 ScanServices: Searching service gxvxcserv.sys
05:13:27:004 3124 ScanServices: Open/Create key error 2
05:13:27:004 3124 ScanServices: Searching service MSIVXserv.sys
05:13:27:004 3124 ScanServices: Open/Create key error 2
05:13:27:004 3124 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 8241B000
05:13:27:004 3124 UnhookRegistry: Kernel local addr: 1E70000
05:13:27:004 3124 UnhookRegistry: KeServiceDescriptorTable addr: 1FA7B00
05:13:27:020 3124 UnhookRegistry: KiServiceTable addr: 1F288E0
05:13:27:020 3124 UnhookRegistry: NtEnumerateKey service number (local): 85
05:13:27:020 3124 UnhookRegistry: NtEnumerateKey local addr: 2077BAC
05:13:27:020 3124 KLMD_OpenDevice: Trying to open KLMD device
05:13:27:020 3124 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
05:13:27:020 3124 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
05:13:27:020 3124 KLMD_ReadMem: Trying to ReadMemory 0x82470AAD[0x4]
05:13:27:020 3124 UnhookRegistry: NtEnumerateKey service number (kernel): 85
05:13:27:020 3124 KLMD_ReadMem: Trying to ReadMemory 0x824D3AF4[0x4]
05:13:27:020 3124 UnhookRegistry: NtEnumerateKey real addr: 82622BAC
05:13:27:020 3124 UnhookRegistry: NtEnumerateKey calc addr: 82622BAC
05:13:27:020 3124 UnhookRegistry: No SDT hooks found on NtEnumerateKey
05:13:27:020 3124 KLMD_ReadMem: Trying to ReadMemory 0x82622BAC[0xA]
05:13:27:020 3124 UnhookRegistry: Splicing found on NtEnumerateKey
05:13:27:020 3124 KLMD_WriteMem: Trying to WriteMemory 0x82622BAC[0xA]
05:13:27:020 3124 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully
05:13:27:020 3124
Hidden service detected: H8SRTd.sys
Type "delete" (without quotes) to delete it:


This is the log. However, I cannot get the malwarebytes program to run at all. Before I was able to just redownload it and run from the download. It will not launch or start now. It will not even update. I will try to do this in SAFE MODE WITH NETWORKING. Hopefully it will work that way.

I will post results in a few.

Edited by bewines, 06 January 2010 - 06:32 AM.


#5 bewines

bewines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 January 2010 - 06:49 AM

I have tried to run Malwarebytes in both normal mode and safe mode. It will not run at all. I got through the setup phase and clicked for it to update and launch and then nothing happens. I am at a loss as to what to do now.

#6 bewines

bewines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 January 2010 - 10:46 AM

I remembered reading somewhere about renaming these files so that the malware didn't catch it. I did just that and after renaming both the malwarebytes install file and the exe file itself, I was able to run it all and it found 4 infections. I selected and deleted them all. I then rebooted, but my computer never came back up. It stayed on the "please wait" screen for more than five minutes. I shut it down manually and tried to reboot again. And again the same thing. I left for work after that. I will check back here later to see what I should do next.

Thanks for everything so far.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 06 January 2010 - 11:19 AM

Damn these rootkits... Looks like the best thing is to do a Repair install,NOT a full so you won;t lose your files. Is this XP? Then boot of your install / repair CD or try making a boot CD..

How to Perform a Windows XP Repair Install



BOOT CD.

Have you ever run Combofix on that computer?
Do you have a Windows XP install disc?

Do this first please........

Let's now create a boot disc so that you can access your files and folders and so I can get a look at a log.....

*** Please print these instructions ***
  • Download Hiren's BootCD Iso to the desktop of a clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop.
  • Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc. After it has completed...
  • Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
  • You will be able to access your sick drive and save files/folders from here.
  • Create an ethernet (wired) Internet Connection
    • Double click the Network Support icon on the HBCD desktop
    • A computer screen will appear in the lower right corner system tray
    • Double click HBCD Menu on your HDCD desktop
    • Choose Menu
    • Then Browsers
    • Then Opera
    • Success?
  • You should now be connected to the internet.
  • Navigate here to the forum and click this link.
  • Download the program and save it to the desktop.
  • Once saved, close all other windows then double click the program to run it.
  • When completed, a log will open.
  • Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

  • In addition you now have access to all your files and folders amoungst many other utilities that we might need to use later. :thumbsup:
  • If you double click your Windows Explorer icon on your desktop you will be able to access your hard drive.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 bewines

bewines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 January 2010 - 05:38 PM

I am running Windows Vista Home Edition. I will wait to see your reply before I do any of this.

#9 bewines

bewines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 07 January 2010 - 04:08 AM

Good NEWS / Bad News

Good - I can boot into safemode with networking and get online and find all my files and all looks well. I am not getting those other errors that I had before so I am assuming that the problem with the Antivirus live has been resolved.

Bad - It will not boot in normal mode - It just hangs at the "please wait" stage.

Any ideas on what to do next?

By the way, thank you so much for all your help so far. I really do appreciate you taking the time to try and resolve this problem for me.

#10 bewines

bewines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 07 January 2010 - 09:45 AM

More good news of sorts.

This morning I was able to boot into "last known good blah blah blah"

and once I did that. I was able to boot successfully back up each time I tried.

However, the H8SRTd files are all back again. I can do the same thing we already did, with the TDDS program, but it does the same thing each time. It leaves the computer unable to boot in the regular mode.

I tried deleting the keys for the H8SRTd infections in the registry but it will not allow me access to the ones in the controlset02 03 04 05 06 etc. It tells me each time I don't have permission. I tried every way possible that I know to change the permission, but again, no luck.

So any new thoughts. I have found that any removers I tried to use, are possible provided I change the names to something that is not linked to virus/spy/trojan removal programs.

Please let me know if there is a way to manually delete all those registry keys. Or whatelse I should do.

Again, running Windows Vista Home Premium

Thanks again in advance for helping.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 07 January 2010 - 12:07 PM

OK, good work. yes using system restore restores the bad stuff too. That's why tho i won't empty them till we are done as you see an infected point is better than none.
Let's try once more with MBAM.

First run RKill.... immediately run MBAm

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 bewines

bewines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 10 January 2010 - 05:39 AM

I am not sure that all is okay, but it appears that it is. I am able to shut down and boot up like normal, but my pctools antivirus keeps giving me an error that it has failed to load. I also had issues with my Ad-aware. I have unistalled them both and going to reinstall them from fresh downloads.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 10 January 2010 - 09:56 PM

That should fix it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users