New Virus, disables AV removal software

Discussion in 'Malware Help (A Specialist Will Reply)' started by JeffMIS, Sep 10, 2009.

  1. JeffMIS

    JeffMIS Private E-2

    Got a new virus on 2 different systems. Systems are from 2 completely different people and one of the systems was in New Mexico when infected (they bought it to me) and the other in San Francisco.

    The virus disables any programs that check for viruses or do system testing. Hijackthis starts to run once, will show the screen and when you pick any option it immediately shuts down and won't run again getting an error message saying I don't have permission to access the file.

    I can run

    cacls hijackthis.exe /g administrator:f

    And it will get Hijackthis (or any other program) to run once again, but it immediately gets locked out when doing it. Tried renaming hijakcthis.exe to another name, to see if they keyed on the name, still got disabled.

    I tried to run Housecall, the moment it started running the scan the window closes.

    I have been running UBCD to get into the system and try and clean files and the registry.

    The system had a few viruses... now I have to hit CTRL+ALT+DEL and run Explorer manually, half the time, to get it to come up with a desktop. Wierd thing is....sometimes it comes up without doing that.

    The registry exefile key was changed to run another program, I corrected it.

    The registry userinit key was changed to run another program, I fixed it.

    Active Desktop Recovery is up on the screen, and it can't be resolved, even by renaming the HTT file.

    Tried using Avast, can get it to install and even do the boot time scan, but once the system comes up it disables the main service.

    I have run McAfee from the UBCD using the latest virus definitions (9/9/09) and it still can't find a virus on the system.

    I have looked in all the usual places for viruses...some of them are , Windows, windows\system32, the dllcache and drivers folders. Temp in the windows folder and the users. all users Administrative tools, Root of C:, Program Files, Program files/common files, Temporary Internet and even some more. Found many infected files and renamed all of them (Ex change exe to xex and dll to lld, in case the file is needed to boot I can change it back).

    I am at a loss when it comes to resolving this, think it is brand new (I have been cleaning viruses almost daily for 6 months) since I have not seen this particular problem until Friday.
     
    JeffMIS, Sep 10, 2009
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks, JeffMIS

    We've been dealing with this new infection for over a month - other scanners will also run only once.

    * Use this thread for only one machine, to avoid confusion - and create a new thread for the other.

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    dr.moriarty, Sep 15, 2009
    #2
  3. JeffMIS

    JeffMIS Private E-2

    I seem to have finally removed this virus.

    I took the drive out of the Laptop since it would not allow running any software.

    Stuck it in another system as the 2nd drive, and had Avast Anti virus on that system.

    Kept running virus checks every couple of days, the 7/13 or 7/14 avast update finally removed the virus and now the system is working properly again.

    Sometimes it pays to just wait some time, I knew this was a new exploit, and sure enough, they cracked it.
     
    JeffMIS, Sep 15, 2009
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :major

    I'm glad that you got your machine cleaned, JeffMIS. If you are confident and don't wish us to review logs - please take the time to look over our How to Protect yourself from malware! guide.

    Safe surfing!
     
    dr.moriarty, Sep 15, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds