Pretty much what the topic title says… I’ve tried everything???

I looked up the characteristics of the virus and it looks a lot like Crowt.d, but that virus was released back in 2005? So I’m not sure… here is how sophisticated the virus is…

It blocks all of the antivirus websites and most help topics… (im writing this from my laptop)

It blocks the execution of antivirus programs… somehow avast was the only program that I managed to install… (but I had to rename the .exe to a name that didn’t say avast.)

It redirects my google searches to spyware websites… and generally slows down internet explorer.

It does not showup in hijack this… and my processes list…

I also managed to install microtrend… and after killing some copies of the virus it reinstalled itself… never to be found by microtrend again… then it somehow attacked microtrend and disabled the scanner. Doesn’t really sound like the harmless crowt.d anymore.

It also blocks the internet connection for antivirus software updates… and while I’ve manually updated avast to 11-30-08 definitions… and deleted 189? infected files… the virus reinstalled itself ONCE AGAIN.

and this time ONCE AGAIN, nothing shows up in the scans… its like it knows how to hide itself each time you kill a part of it.

uhhh i dont know what to do??? even when i manually try to install other AV programs, it interupts the action and blocks them from running… even if I thoroughly rename everything.

avast is the only thing that is running… but like I said the scans no longer pick up anything.

this has been one hard fucking virus to kill… never had a virus like this before… anyone know whats up?

to add to the list:

it first disabled the NEXT button on my system restore… then the 2nd time I tried system restore, it deleted all of the restore points.

When I tried system restore in safemode with no internet connection…a tab opened up and said, “this won’t save your pc”

and I just tried to run avasti antirootkit in all modes and it says it cannot find drive C:

fuck :-\

can you open ‘msconfig’ in run tab?

yes i can.

I also tried manually deleting registry values through the regedit command. It also blocked that…

I’d try a rescue CD: burn one on your lappy and boot the computer from it. If it doesn’t cure the problem, it should allow you to save your files to a flash drive- then reformat the disk and reinstall your OS.

(If you can’t save files from the rescue disk, burn a Linux LiveCD- you’ll be able to do it from there. Ubuntu is a safe bet.)

http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.iso
http://dlpro.antivir.com/down/vdf/rescuecd/rescuecd.exe
http://download.bitdefender.com/rescue_cd/BitDefenderRescueCD_v2.0.0_07_08_2008.iso
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.00.zip

This would probably be my last option.

all I would do in your situation is look closely through the programs in the startup field for something thats not kosher and one at a time stop them , steer away from the system programs though .

if this is over your head then wait for one of our resident gurus to wander in.

good luck

I’ve gone way beyond that… I’ve stopped them all… It won’t die.

Initially there were some “none kosher” files… but microtrend and avasti killed them. They don’t showup in the list anymore… yet the virus is still alive.

Like I said, this virus copies itself… and never in two places at the same time.

can you try getting MBAM onto your system and see if it can help?
http://www.malwarebytes.org/

The rescue disk all do a virus scan- so there is an option before the reformat- and running from a boot disk, nothing can interfere with the scan, i.e., the little rascal virus is powerless to resist.

nah this program didn’t work… it installs, but it freezes after that. Virus interupts it from running properly.

i’ve run avast from boot mode… before the operating system ever came up and it caught 2 trojans… deleted them both and the virus was still there after I booted up… I ran it again, and it came up clean. I dont think the rescue disk will have much different results?

does anyone know what kind of virus this is? Anyone have similar problems?

most of the people you find here are, like you just browsing thru. The Avast staff are only occasionally available to help people out.

Having said that I think Franks option is probably your best shot.

all I could add is maybe Combofix http://subs.geekstogo.com/ComboFix.exe

but if its stopping everything else then this will probably get hit as well

good luck

Each of the rescue disks runs a scan from a different company. No AV is guaranteed to find 100% of viruses, so your best bet is to try a scan by a different AV.

If you can get into Safe Mode, you could try these. (You may need to rename the files if they are being blocked.)

Try a scan with DrWeb CureIT!
Try a scan with Kaspersky Virus removal Tool

Maybe worth reading this thread as it uses a lot of tools that you might find helpful.
wish I could offer more but im not the expert that Essexboy is and there is probably an order to what tool to use and how so venture in at you own risk.http://forum.avast.com/index.php?topic=40551.msg339883#msg339883

Hi…

Let’s tone down the language, please. This site is for everyone, including the young.

Best Regards…

no problem… i appreciate all the help so far… anyone have anymore suggestions?

so far you have told us virtually nothing . Random infection doing random stuff ??
How about posting some information . a HJT log perhaps

Igotowned, can you boot into safe mode? If not, you got really owned.

If you can boot to safe mode there may be help. HijackThis! http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis can see processes that ‘stealth’ themselves. Post your HijackThis! log to this forum. http://www.bleepingcomputer.com/forums/forum22.html

If that can’t get rid of the bad process and you can boot to safe mode, you can search the Registry there for the process’ current filename(s) and delete whatever in the Registry is launching them.

Another utility that may reveal suspicious processes is Sysinternals Autoruns. Microsoft bought out Sysinternals, hiring some of their people who continue to update the Sysinternals free utilities. Microsoft wanted their ERD Commander, which is now called DaRT (Diagnostics an Repair Tool), a part of Microsoft Desktop Optimization Pack (MDOP). Unfortunately that ain’t free.

One of the ways stealth malware protects itself is by using one of the several ‘legal’ methods there are of running a process during boot to write run commands into the Registry to launch other processes. Once those launch, they delete the run commands and ‘attach’ multiple file handles to themselves, usually from explorer.exe

One thing that can deal with these is Unlocker. http://ccollomb.free.fr/unlocker/ Install it then locate the current malware file, rightclick on it then click Unlocker. Select Delete and Kill Process. This will simultaneously kill explorer.exe and delete the malware file, causing a BSOD. Poke the reset button and you may have killed your malware. It won’t have had the chance to set things up during shutdown to relaunch at boot and sanitize the Registry, so the rest of it can be found and deleted.

If it comes back, there’s a low-tech solution. After the PC is done booting, turn off the power switch on the back of the box or pull the power cord. Plug back in and boot to safe mode to clean the registry.

Another trick it causing the PC to reboot if you try booting to Safe Mode.

However, the bad guys have advanced beyond those fixes. Some newer malware can either sanitize the registry so there’s nothing shows up in safe mode to delete. I’ve encountered one very nasty one that could actually run in safe mode, which is supposed to be IMPOSSIBLE! Only processes from Microsoft are supposed to be able to be running in safe mode, yet the bad guys have figured out how to do it. When I got one of those, I had to connect the hard drive to a clean PC and scan it. It took Grisoft (I was using AVG 7.x then, which didn’t catch the nasty thing) four days (and around 12 rapid fire update releases) before AVG was able to fully clean it out. This one also would delete all the major AV and anti-malware apps and blocked them from being installed.

Pulling the power on that one revealed another new twist. Replacing or renaming at least one critical system file needed to boot, then putting it back right during shutdown. Pull the plug and your PC no longer boots. A Repair Install will get you back to Windows, and your virus. Time to pull the drive and connect to a clean system to scan.

NEVER try to open any file or run any program from an infected drive connected to a clean system! Scan, scan, and scan again, wait for some updates to your AV and scan it again. Put it back in its own box and see if the virus comes back. If not, yay! Run HijackThis! and Autoruns to locate any leftovers and delete them.

Another useful tool is a bootable CD with utilities that can explore the infected system and edit its Registry. ERD Commander / DaRT can do that and there are some free ones like Ultimate Boot CD or Bart PE. If you have access to MDOP, DaRT 5 is for XP and DaRT 6 is for Vista- but you can build a 6.0 CD on a Vista system (with the latest Standalone System Sweeper updates) and boot an XP box to run SSS.

It’s always a new adventure with the ever clever new surprises from the crackers.

P.S. I remember the first computer magazine article printed in the 80’s about the possibility of programs that could exhibit “virus like” behaviours. My thought then was “YOU IDIOTS! You’ve just given people some very bad ideas! THINK before unleashing such stupid ideas on the world!”. Computer viruses probably would’ve happened anyway, why’d the honest programmers have to go and give the rotten ones the idea in the first place? It was the computer equivalent of publishing an easy recipe for nerve gas in a newspaper.