Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown virus kills and corrupts antivirus.


  • This topic is locked This topic is locked
9 replies to this topic

#1 Putrid

Putrid

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 10 November 2011 - 03:02 PM

Here is my original thread

AVG, MalwareBytes, Super AntiSpyware, and GMER all crumble before this mysterious virus. AVG's real-time scanning is disabled, and if I run a scan, it completes after checking zero files saying no threats found. When scanning with Super Antispyware, MalwareBytes and GMER, they all start searching for a few seconds then get terminated and the executables become corrupted (kind of. The error message received when attempting to open the file again is "Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item.")

GMER lasts longer because it scans other entries before scanning "Processes." I'm pretty sure the other two scan processes very early in the scan (within seconds). But once it scans processes, like the rest, it gets terminated and corrupted.

I believe the culprit here is the file C:\Windows\3517402925:3534772270.exe - 464K

Unfortunately it will not show up in the log I attach since as soon as it goes to processes, the program gets terminated. You'll see in my aforementioned thread that while GMER was scanning "Files", it did find the file (C:\Windows\3517402925:3534772270.exe) and it lasted for about 10 seconds, but then got terminated and corrupted.

HALP!

Attached File  GMER.txt   16.12KB   1 downloads

Edited by Putrid, 10 November 2011 - 03:10 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:03 AM

Posted 10 November 2011 - 03:08 PM

Hi,

could you please try to run a scan with OTL:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Putrid

Putrid
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 10 November 2011 - 04:42 PM

Sorry for the delayed response

Attached File  OTL.Txt   66.22KB   3 downloads
Attached File  Extras.Txt   39.69KB   0 downloads

Also a new development, the buffoon using the workstation installed "Privacy Protection" which appears to be easily dealt with by MalwareBytes but, alas, that is not an option yet.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:03 AM

Posted 10 November 2011 - 04:56 PM

I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Putrid

Putrid
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 10 November 2011 - 05:03 PM

Technically, I am their IT "professional".

#6 Putrid

Putrid
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 10 November 2011 - 05:04 PM

Oh and there is no proprietary information on this machine, there are no legal issues with this.

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:03 AM

Posted 10 November 2011 - 05:13 PM

Hi,

please try to be a bit more respectful of your users then at least. They may be unable to remove the malware, but that's also not what they get paid for...

Please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Putrid

Putrid
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 10 November 2011 - 08:30 PM

Oh, no, they're entertainers. It's a party entertainment company. Clowns and magicians.

It looks like ComboFix resolved the issue of the mystery file. It also came up with a message saying the station was infected with "rootkit.zeroaccess" and prompted a reboot. I haven't proceeded further yet, I'm waiting on your instruction.

Also curious why it uninstalled the old "Helper" program.

Attached File  ComboFix.txt   78.04KB   3 downloads

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:03 AM

Posted 12 November 2011 - 08:53 AM

Hi,

this looks like a false positif from ComboFix. Could you give me some more info on the program, as to better establish what it is?
You can restore by moving the files back from the quarantine into the folder:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
c:\program files\Helper


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

Edited by myrti, 12 November 2011 - 08:56 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:03 AM

Posted 29 January 2012 - 09:49 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users