One Nasty Virus/Trojan - Kills all virus scanners

My main computer was hit today by a really nasty virus/trojan

The first thing it did was uninstall - or destroy Malwarebytes

It wont let me run Bitdefender… wont let me reinstall…
I cant boot to Safe Mode…

Avast finds it… but does not seem to be able to get rid of it.

When I let Avast run a boot scan… it detects a file and I get that list
of what I want to do… then it just locks up… no matter what number
I press … nothing happens after that point.

Can I get some help…

This is one of those Fake AV malware thingies… with all the added nasties above
plus it downloads ads and porno stuff… keeps popping up what looks like WIndows warnings about infected files… at one point it would not let me use task manager to end it…

I tried uninstalling it with Add/Remove it just keeps reinstalling itself.

Never came across one like this before…

Download ComboFix from Bleeping Computer onto desktop in a different filename.

  • Double-click on ComboFix
  • Click Run
  • Click Yesto agree
  • Click Yes to install the Windows Recovery Console
  • Click Yes to continue scanning malware
  • ComboFix will create a log after it finished scanning. Post or attach ComboFix log.

Also, please post the name of the Avast detection, and the location (full path and name) where it was detected.

Avast detects about a dozen files… I managed to get to where
I could open the CHEST and it has about 12 files in it.

Do you want all of those files and paths.

I have to constantly battle popups to see anything

I have rebooted and run Avast over and over and each time it seems
to get a little easier to function.

I am running avast right now… and it keeps finding more files
mostly temp files

other files off the top of my head are

calc.dll
notepad.dll
ie

I managed to copy combofix with a new name via my network.
As soon as avast finishes running its scan I will post that log

Is there a way to copy and paste the Avast Chest?

This sounds like it might be beatable. Probably best to go with one thing at a time, though. Being methodical is important, so just do the combofix as suggested by Jtaylor for now.

You can’t copy/paste the chest. You could post a screenshot. (Example below.)

You’d probably need to maximize it, then move the column header as indicated in the pic to view the entire path. And, as indicated, it is only the "infected’’ section of the chest that is of interest.

I have tried several times to get combofix to work…
I cant get it to run… when it starts I get a popup that says
runonce is infected…

I dont know if these popups are real or not… any time I try to run
anything … including avast virus scan … I get one.

I will try a screen print of the virus chest… there are so many trojans
in there it looks like a virus dictionary!

I did a screen print but cannot get paint to run to copy it to…
so I tried excel… it copied but did not save the file… now I cant
fun excel anymore… says infected

Seems I get to use a file/program once then from then on it is blocked
and I get a pop up saying cannot run … file is infected.

There are 25 items in the Chest… mostly trojans…

I am going to try rebooting … maybe I will get somewhere that way.

Delete Combofix. Run a disk cleanup. (Let me know if you need directions)
Download it again, but this time, change the name of it at the “save as” point when downloading:

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha.exe before saving it to your desktop.

Try running it again with the new name.

I’m sorry to say, this is sounding fairly bad. Shows symptoms of the Win 32 Vitro, an infector that basically infects everything on the drive when it’s used/opened.
Does the name "Vitro’’ appear in the virus chest at all?

I’d start to look at backing up important files.
If you have anything real important, it may even be better to remove the HD, and taking it to a shop to extract the important files without the OS running, as files could be infected during the backup process otherwise.

The above is just a precaution; we don’t know what is at play, yet.

I dont remember seeing Vitro
I saw something that said Mabolb-tm or something like that
and others… I have shut down the computer cause it was driving me
nuts…

As for files… there is very little on the internal hard drive… I store
everything except the OS on external drives.

I will reboot and list some of the viruses from the chest…

I did try downloading Combofix with a different name… but will try again
with the name you suggest.

What is a disk cleanup?

How do I do that?

I normally use CCleaner on a regular basis but that is not working
anymore either.

So how would I do a cleanup

Um, forget about the cleanup. If Ccleaner isn’t working, we probably don’t’ want to go messing up system tools, either.
(Normally it’s “Start>all programs>accessories>system tools> >disk cleanup.”) You can try it if you want, then after doing it, see if it is disabled as a result of having run.

Try Combofix as “gotcha.exe”. Do that first.
Try renaming the main exe of the MBAM program, located in C:\Program files\malwarebytes anti malware (It’s called MBAM.exe) to something like Lynn.exe, and see if it will run then. (Probably won’t. Worth a crack.)

Whatever you do, don’t place any of those storage disks back in the infected computer. I’m very glad you have backed up stuff. It makes the prospect of a format and reinstall much less painful. (For you, of course. Won’t hurt me, much.)

You can mess around with trying to fix this if you want, and as long as people here have ideas/help available, or you can just save time if you prefer, do a full format, and reinstall Windows.

Do you have another working computer with a net connection available?

Yes I have 2 other computers on the same network… both connected to the internet…

I have been transferring from computer 2 to the malfunctioning one via the network… I managed to open excel and got a screenshot thru the network

Its a risk I know but I will attach it for you and run avast to make sure I
didn’t bring anything over.

I have no idea how to format and reinstall…

My conputers are Dell computers and they have one small partition and one large…

I format my external drives all the time … but never did a computer and
OS install…

I will try combofix now that I got the screen shot…

Had to transfer to paint so it is in 2 parts…

Everytime I reboot and run avast… I get more files added to the chest.

The files are still to large… how can I make them smaller or get them to you?

Crikey. Disconnect the infected machine from the network. Now.

Thing is, until we know for sure what you’re dealing with, it remains unknown (but a possibility) that it could affect the other computers on the home network.
So, at a minimum, at least make sure the other computers are well and truly firewalled inbound from the sick computer.

The sick computer appears to not be able to run any application more than once, if at all. That points to a fairly virulent infection, that Avast is unable to clean. I strongly suspect the infection agent is polymorphic (as Vitro is), that is, it re-codes/renames itself each time it infects something, to (a) make it mmore difficult to fix, and (b) to evade detection.

You do not want any part of that code getting into another computer.

Any idea how you got this?

I was doing my weekly TV guide… so I had zaptoit open IMDB TV.com
and a few others…

How can I get that excel spreadsheet to you…
It is 204kb and this system only takes 200kb at a time

It has a complete list of the Avast Chest but I have copied the list
best I can… These are the VIrus/Trojans … do you want me to match them to their respective files?

Win32:Malware-gen
Win32:MalOb-T[Cryp]
JS:FakeAV-AI[Trj]
Win32:Spyware-gen[Spy]
Win32:Rootkit-gen[Rtk]
Win32:Walivun[Trj]
Win32:Trojan-gen

Most of the files affected are temp files

uacdf4f.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uace20e.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uace53b.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uadeeae.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uacf0e1.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
Uninstal.exe C:\ProgramFiles\ActiveSecurity
uqxq44.dll c:\windows\system32
winamp.exe C:\Documents and Settings\Lynn\LocalSettings\temp
trz11.tmp C:\WINDOWS\system32
trz10.tmp C:\WINDOWS\system32
syssvc.eve C:\WINDOWS (this one appears 15 times)
scandsk.dll C:\documents and settings\lynn\startmenu\programs\startup
rundll32.dll C:\Documents and Settings\Lynn\LocalSettings\temp
ntuser.dll in c:\DOCUME~1\Lynn (appears 3 times)
litoqbe_cr[1].htm C:\Documents and Settings\Lynn\LocalSettings\ ~~~(another temp internet file)
islv.exe C:
Installer.exe in c:\DOCUME~1Lynn\LOCALS~1\Temp (appears 3 times)
iehelper.dll in c:\windows\system32 (this one appears 4 times)
flst[1]js c:\Documents …blah blah … TempInternetFiles\IE5\LDJALNF3
coreext.dll c:\programfiles\active security
calc.dll in c:\windows\system32
6to4v32.dll in c:\windows\system32

asecurity.exe (this one is one of the popups phony security things that caused the problem I believe) c:\programfiles\active security

What about the Microsoft Recovery Console?
I can boot up into that (or I could anyway) but I dont know how
to use it …

or boot up from a disk into safe mode

I think if I could get into safe mode maybe that would help get rid of this.

Sorry… as a last resort … I would not mind reformatting if someone could guide me.

I have all my software discs…
I dont have a full scale OS disc… I have a Dell OEM OS disc… would that work?

I have a bunch of useless software on the sick computer… dont use it so would not
reinstall it… just my CD ROM drive and DVD drive… Nero … Office… that is about all
I use on that computer… Dont use email there…

How to reformat

WinXP
http://video.google.com/videosearch?hl=no&source=hp&q=how+to+reformat+xp&um=1&ie=UTF-8&ei=eTXsSoCjGYLY-Qbl_KHwCw&sa=X&oi=video_result_group&ct=title&resnum=4&ved=0CBsQqwQwAw#

vista
http://video.google.com/videosearch?hl=no&source=hp&q=how+to+reformat+xp&um=1&ie=UTF-8&ei=eTXsSoCjGYLY-Qbl_KHwCw&sa=X&oi=video_result_group&ct=title&resnum=4&ved=0CBsQqwQwAw#q=how+to+reformat+vista&hl=no&view=2&emb=0

XP http://www.google.no/search?hl=no&source=hp&q=how+to+reformat+xp&meta=&aq=f&oq=

vista http://www.google.no/search?hl=no&q=how+to+reformat+vista&meta=&aq=f&oq=

how to reinstall a dell computer
http://www.ehow.com/how_2172122_dell-computer-microsoft-windows-xp.html

I read about reformatting… WOW!!

I have all drivers … but I would sure like to avoid reformatting

Do you suppose I could reboot to CD and try a system repair?
or are the viruses/trojans too bad for that?