Antinny.AT Worm- Removal problem

Greetings... you guys seem like knowledgeable folks, so I thought I would ask here.

My roommate's computer has somehow gotten the Antinny.AT worm. Now, I have installed NOD 32 on there for her, and NOD does catch the virus. However, it says that to complete removal, it requires a reboot. Upon rebooting, though, the virus is still there, as if nothing happened.

After the first couple times I tried this, I disabled System Restore, but I still have the same problem.

I've run NOD 32, several online virus scanners, and nothing has worked. NOD 32 says the file is present in system memory, which is why it cannot remove it. Winlogon.exe is constantly trying to access the infected .dll and using approximately 50% of her CPU. However, in Safe Mode it does not have this problem.

I am assuming Antinny.AT is a new variant of the Antinny worm, as I cannot find ANY information about it.

Any suggestions? Thank you for your time and help.

 

Welcome to MajorGeeks.com, please follow the steps below:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

Okay... I ran through the tutorial. I ran all the spyware programs, two of the online scanners (Bitdefender and Kaspersky), and still NOD32 finds the Antinny.AT worm. After running the Anti-spyware programs and online scanners, they did find and fix a few miscellaneous viruses and a bunch of spyware, but the main worm is still there.

I have System Restore disabled, and NOD32 says it requires a reboot to remove the infected .dll file. In teh warning window it says:

"The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. Event occurred at an attempt to access the file by the application: \??\C:\WINDOWS\system32\winlogon.exe."

Upon selecting delete, it closes the warning window and then opens another one. Renaming the file has no effect either, although the renamed file does get deleted.

Upon bootup, there are two error messages.

"Error loading C:\WINDOWS\cfgmgr51.dll
The specified module could not be found."

"Error loading AUNPS2.DLL
The specified module could not be found."

The HJT log is attached. Thank you for any help you can provide.

 

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

After you complete the above, please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

Actually, we just went ahead and formatted and reinstalled Windows, so I suppose it's a moot point now.

Thank you, though.

 

I'm sorry to hear you had to format as we could have gotten you all cleaned up.

To prevent it from happening again you should see this article on How to Protect yourself from malware!

Surf Safely!

 

Hehe... like I said, it was my roommate... I know to keep myself protected.