Microsoft Antivirus Pro! Wow.

I see that many people are having issues here. I noticed this about 4 days ago on an XP machine, SP2. This is my daughter's PC and I have another, usable PC across the room running Vista. The PCs are networked via wireless router.

The various symptoms over the past few days include:

The PC automatically restarting.

Many programs will not run. I will either get a "OPEN WITH..." box or a message that says that the specified path, program or file cannot be found or I may not have permissions to run it.

Programs like MBAM, SAS, etc. will begin but die after a short time or I will not be able to start them at all. I found a bunch of files that appeared to be linked to this issue and I removed them, but the malware came back. I am currently running RootRepeal and it's scanning files at the moment.

I have also used some of the Doug Knox scripts to open up REGEDIT, etc. since the bug had shut that program down too.

Someone on Bleepingcomputer sent me a RANDMBAM program, but it does not create a shortcut as it should.

I see that there are threads here and I am following the other one that is most current. I plan to finish RootRepeal, restart and then try the other pgms.

If there is anything else, please let me know. I have been working on this for 4 days and I'm ultra-frustrated.

Thanks.

 

Update:

I went through the process with my system in Safe Mode (so I could access permissions) and without web access (someone else told me that due to the apparent severity of this bug, I should disconnect it from the web immediately).

* I went in and reset MSCONFIG to run in normal mode. It was set to "special".
* TDSSserv.sys was not present in the device manager.
* CCleaner run through without issue.
* My folder options did not exist. I found a process online to go into the registry and take out the NOFOLDEROPTIONS entry. I fixed that and then made the necessary changes regarding hidden file, etc.
* I removed all "known" problematic programs on my system using add/delete programs
* I removed some old Norton Anti-Virus folders (I use McAfee now).
* I changed the permissions on Super Anti-Spyware and ran it. It scanned for about 20 mins and then was terminated by something. I did it again and had the same result.
* MBAM runs for about 30 seconds and is terminated.
* Combofix brings up a progress bar that goes all the way through and then I get the following messages...
GRPCONV is missing
32788R22FWJFW.exe cannot be found (multiple versions of this message come up with various programs names and extensions)
Interference is detected, run ROOTKIT scan
* ROOTREPEAL runs and I can hear it accessing the drive for the time being. It says, "Initializing, please wait..." and also says, "Scanning for hidden/locked files...". The last time(s) I ran this program, it ran overnight and didn't seem to be doing anything and nothing appeared in the screen either. I will report back when it's finished.


Side notes: On Bleepingcomputer, a few people suggested running Sophos ARK, OTL and GMER. Only GMER ran all the way through and actually produced a log. Please let me know if you would like to see it.

 

Another update... after about an hour of running, RootRepeal appears to stall and the entire system is frozen. I can no longer hear the disk being accessing (quite loud on this PC) and my guess is that something terminated RootRepeal just as my other tools have experienced. The only difference is that the RootRepeal screen stays up instead of disappearing. But when this happens, I cannot do anything else on the PC... Task Manager won't come up, etc... the PC is frozen. I am now rebooting back into normal Windows mode to see if RR will run all the way through.

 

I apologize for the bump.

I ended up making backups of my user data, reformatting the C: drive, laying the OS back down along with my user data, McAfee, iTunes, Linksys CD, etc. and everything is fine. The PC is running like new which is a nice by-product. I have spoken to many people who encountered Windows Anti-Virus Pro and none of them have been able to remove it using the standard tools. This seemed to be the only way. I posted this to tell others that this does appear to work and that WAVP did not return with the restore of my user data. MBAM, HJT and SAS all show that everything is clean. Thanks for the help.

 

Chas: Thanks for the reply. I was not able to get one of the suggested programs to run and produce a log which is why none were submitted. I was either unable to run programs or if I did get them to begin, something terminated them. I reformatted the drive and reinstalled everything in frustration. I also wanted to raise my fists to the sky in victory over this nasty bug. As always, thank you for the help and many thanks to everyone who helps on the site. I know it's probably a thankless job but many people rely on this site to help them out and there is much appreciation.

 

Yes, I downloaded MGTools and it acted the same as the other programs. I started it and it began to run... then it was terminated about a minute into running. When I ran it again, it said that Windows could not find the specified program, device or path or that I did not have permissions. I restarted into Safe Mode, reset the permissions and ran it again but it was terminated again. I believe I tried renaming it too but this bug would also prevent copying, pasting and renaming of certain programs. I was trying to get a log to you guys because I know that's your view into the problem. The only program that I ran that actually produced a log was one that I learned about on Bleepingcomputer... GMER. I told them that I had a log but they told me that GMER is not really part of their removal routine and that I could post the log if I wanted, but that it may not tell them much. Again, the help is top notch and much appreciated. I know you guys are swimming against the current here. Thanks! :cool