Tough Virus Help please

Discussion in 'Computer Games and General Discussion' started by Hakoda, Jul 4, 2009.

Jul 4, 2009

Tough Virus Help please by Hakoda at 12:11 AM (2,453 Views / 0 Likes) 32 replies

  1. Hakoda
    OP

    Member Hakoda GBAtemp Addict

    Joined:
    Feb 2, 2008
    Messages:
    2,133
    Location:
    San Jose, CA
    Country:
    United States
    If I'm posting in the wrong section, mod please move it.

    This is probably one pf the hardest viruses I've ever seen . Very hard to get rid of but something tells me that the members of GBATemp won't be stopped by something like that. This isn't on my computer, its on a neighbor's computer. Her computer is running Windows XP. Unknown which service pack because virus blocks that dialog box.

    Virus Description:

    - Blocks all programs from executing, unless renamed to a current windows process such as explorer.exe.
    - Endless Pop-Ups & Balloons telling us that your system is infected.
    - Background has changed to something like this: link
    - Fake Antivirus; takes the name "Security Center 4.52"

    I've tried to install anti-viruses onto a USB and launch them from the computer that way.

    Anti-Viruses that have been tried:

    - Malwarebytes: Result - Runtime error 0 then 440. Not blocked by virus if main executable is renamed to explorer.exe. (If the runtime error could be fixed, it would work.)If you have a solution to this runtime error, please make sure that its a patch that patches the .exe itself and does not involve any other program because the virus blocks them. So if you have a patch, I can patch it before hand but a CMD trick or something similar wont work because CMD is blocked on her computer.

    - Avast Home Edition: Result: Unable to install on a USB.
    - Spybot S&D: Result: SUCCESS. Security Center 4.52 still remains though.
    - AVG: Result: Will only install to a hard drive, not USB.
    - Dr.CureIt: Result: Failed to execute.
    - Avira AV: Result: Failed to execute.
    - Dr.Web LiveCD: Result: Still Scanning.

    I can try HiJackThis but I won't be able to view the log from from that computer. If I can save the log file and send it to another site that may be a solution.

    My neighbor has left for a 4th of July Party and said that I can come back tomorrow and try some new things. Hopefully, some Tempers can give some ideas or even a solution so that I will be able to fix it quickly tomorrow morning.

    ~ Jon
     


  2. wchill

    Member wchill Resident chillxpert

    Joined:
    Jun 12, 2008
    Messages:
    1,407
    Country:
    United States
    To access 16 bit Command Prompt, try COMMAND.COM.
    As for your problem, grab Ubuntu 9.10 and burn it to a disc, boot it, grab + run an AV from there. Or you can try to manually delete whatever's causing the problem.

    After Googling, apparently some of these processes are causing the problem:

     
  3. nicky041192

    Member nicky041192 GBAtemp Maniac

    Joined:
    Mar 9, 2008
    Messages:
    1,433
    Location:
    UK
    Country:
    United Kingdom
    try agv 8.xxx go on avg.com and get it. i had a virus that blocked me from viewing sites that talk about how to remove viruses and stuff. i had to reset windows....
     
  4. WB3000

    Member WB3000 GBAtemp Advanced Fan

    Joined:
    Apr 5, 2007
    Messages:
    668
    Country:
    United States
    I never have to deal with infected PCs, but you did mention that cmd is blocked on the computer? Is this done by the infection or is that due to limited user status, etc.?

    If it's the latter, you could try using the patched version of CMD I've made. It will run no matter what the PC settings are regarding CMD.

    http://www.mediafire.com/?ernjn0l2mjb

    It might be useful if you find out exactly what needs to be removed.
     
  5. dawn.wan

    Member dawn.wan GBAtemp Fan

    Joined:
    Apr 6, 2008
    Messages:
    370
    Location:
    Toronto, ON
    Country:
    Canada
    here dude

    download:
    Dr CureIt
    http://www.freedrweb.com/cureit/

    ATFCleaner
    http://www.atribune.org/index.php?option=c...5&Itemid=25

    HijackThis
    http://download.cnet.com/Trend-Micro-Hijac...4-10227353.html
    !!HijackThis Disclaimer - Can fuck up system if you kill legit processes.. take care when doing this or just skip over it... if it still is infected after doing the steps below you may have to run this program... post LOG and i'll try to help you out... FYI i wont reply until 2morrow so try w/o if your not sure!!

    And w/e AV you use (Kaspersky, AVG, etc)


    Steps
    -Run ATF cleaner and clear everything for windows and your web browser
    -Run HijackThis and kill processes. You can search for the process on the net if your not sure.. also you check where the file location is (it shows you). IF this does not load go on to next step.
    -Run DR CureIT and let it do the Initial quick scan. IF it detects virus delete.
    -Do a complete scan of your drives in DR CureIT, delete/quarntine infected files
    -Run HijackThis again and close any presistant processes that you know are infected
    -Run your anti-virus and do a complete scan. IF you were not able to run it before it should work now.
    -Restart and report and a 'thank you' would be nice
     
  6. Splych

    Member Splych GBAtemp's Lurker

    Joined:
    May 19, 2008
    Messages:
    2,953
    Location:
    Canada, Ontario.
    Country:
    Philippines
    If none of those work... You'll have to re-install Windows... Bleh. I don't know anything about viruses... All I have done is get rid of em'... With what ever I had. Try Malware Bytes. It's worked for me.
     
  7. Hakoda
    OP

    Member Hakoda GBAtemp Addict

    Joined:
    Feb 2, 2008
    Messages:
    2,133
    Location:
    San Jose, CA
    Country:
    United States
    This will be my backup next to a couple of other things. Thanks.


    Thank you everyone I will reply back tomorrow on how it went. Please keep submitting suggestions as they may become back-up solutions if my main solution won't work. My last resort will be HijackThis which may work with the help of dawn.wan.

    Thanks again,

    ~ Jon
     
  8. Athlon-pv

    Member Athlon-pv GBAtemp Advanced Fan

    Joined:
    Feb 25, 2005
    Messages:
    621
    Country:
    United States
    "Rip" the HD from her computer if needed buy an external enclosure and fix it from another computer. Dont copy any files until the damn thing is clean!! check and double check!

    The whole "let me take another few shots at trying it from her PC" is so futile [​IMG] .
     
  9. Tokiopop

    Member Tokiopop Caffeine fiend

    Joined:
    Apr 14, 2009
    Messages:
    1,833
    Location:
    UK
    Country:
    United Kingdom
    Guys, how is she going to run the programs your giving links to if she cannot run .exes? [​IMG]

    Your best bet is to try what wchill said, and manually delete it with Ubuntu. If you can even get that working.
     
  10. Splych

    Member Splych GBAtemp's Lurker

    Joined:
    May 19, 2008
    Messages:
    2,953
    Location:
    Canada, Ontario.
    Country:
    Philippines
    Install the programs on a flashdrive? It never really hurt to try that... Since you can install some programs on them and they will run. I think Firefox portable was one of them, but not sure.
     
  11. Hakoda
    OP

    Member Hakoda GBAtemp Addict

    Joined:
    Feb 2, 2008
    Messages:
    2,133
    Location:
    San Jose, CA
    Country:
    United States
    I'm a bit familiar with Ubuntu Linux but since its not my computer and I've never tried it, I don't want to mess something up. I CAN run .exe's its just that the program has to be renamed a current windows process like Explorer.exe. Obviously, the virus can't block a windows process because without the actual windows process, it wouldn't function correctly.

    Thanks for the help guys, I'll be goin over to her house in about an hour or so, I'll come back and leave a reply.

    ~ Jon
     
  12. kobykaan

    Member kobykaan GBAtemp Addict

    Joined:
    Aug 27, 2007
    Messages:
    2,994
    Country:
    United Kingdom
    use trend housecall online browser based antivirus/trojan removal tool here [​IMG]

    there are many other online virus scans too that will scan your hd and remove stuff!

    heres MANUAL instructions how to remove it

    link

    more info here

    and if its blocking .exe files try rename the file extension to .msi (which is also an installer file) [​IMG]
     
  13. Hakoda
    OP

    Member Hakoda GBAtemp Addict

    Joined:
    Feb 2, 2008
    Messages:
    2,133
    Location:
    San Jose, CA
    Country:
    United States
    That may work since S&D removed the sites in which the virus was blocking (Symantec, Mcafee, Kaspersky, ect)

    If the Dr.Web LiveCD doesn't work I'm going to use HiJackThis then post a log somewhere. Then if that doesn't work I'm going to take out the HD and have my computer use Bitdefender to scan it.

    Of course if that doesn't work, I can always call Megaman to jump into its CyberCore and delete the viruses [​IMG]

    ~ Jon
     
  14. kobykaan

    Member kobykaan GBAtemp Addict

    Joined:
    Aug 27, 2007
    Messages:
    2,994
    Country:
    United Kingdom
    Use a LINUX LIVE disk and then scan with the ONLINE scan print the instructions out and remove the files manually through the linux filesystem browsing through the folders like you do with windows! .... also you should be able to use the web browser fine on the LINUX machine they mostly use FIREFOX and its virtually the same anyhow! [​IMG]

    If its blocking the websites then find your HOSTS.ini file in your windows folder and delete any sites that are in
    there relating to anti virus sites etc [​IMG]

    infact there shouldn't be any sites in there apart from your local machine ip


    127.0.0.1 localhost


    and that's it any other sites that are listed are blocked via this hosts file!

    you may want to temporarily make this file READ ONLY while you work on the system to stop any new entries being added [​IMG]

    if internet explorer is being blocked use firefox if you have it installed or opera see if you can get to any sites

    did you try the housecall website if you could get to it !?

    try the manual steps removal ... remove all the files listed and the registry entries ..yes it may take a while but if thats your only option and basically FREE way of doing it then do so!


    remember once you get this off the system delete all your restore points as it could hide out in there and be reinstalled if you restore [​IMG]


    all the information is in the links above print them out (use another machine if you have to to print them)
     
  15. Hakoda
    OP

    Member Hakoda GBAtemp Addict

    Joined:
    Feb 2, 2008
    Messages:
    2,133
    Location:
    San Jose, CA
    Country:
    United States
    Do you mean an Install CD from here and then just choosing "Try Ubuntu" when you allow the computer to boot from the CD or something else? If its something else could specify with a link?

    ~ Jon

    EDIT: Just finished burning Ubuntu Desktop 9.04. I hit ENTER on the Try Ubuntu on my own computer. Perfect solution. Should have listened to that from the start. Thanks again guys. I'll do the online scan, then if that doesn't work i can always use WINE to run a windows antivirus. [​IMG]
     
  16. jaxxster

    Member jaxxster The Heretic

    Joined:
    Oct 31, 2006
    Messages:
    2,423
    Location:
    South East London
    Country:
    United Kingdom
    Have you even ooted into safe mood then installing avast from a memory stick? Thats what i done when i had a similar virus.
     
  17. Hakoda
    OP

    Member Hakoda GBAtemp Addict

    Joined:
    Feb 2, 2008
    Messages:
    2,133
    Location:
    San Jose, CA
    Country:
    United States
    jaxxster, I don't think it would make a difference since the virus would still be there in safe mode? or maybe it wouldn't.... well I don't know.

    Anyways, thinking the Linux solution was going to work i thought i had everything solved butttt not exactly.

    When testing linux on my own computer everything worked fine: internet, file browser, WINE, Firefox 3.5, the works... But when booted it on her computer, Linux wasn't able to establish an internet connection since it was a wireless LAN with a WEP encryption. We had to insert the WEP key again, which they didn't remember. Linux wasn't able to use the connection windows does. SO then i thought, well then use NDSIWrapper.Of course it requires an internet connection to install or something. I couldn't get it to work. Neither did WINE since it needed internet connection....

    Thats when I gave up and left. I had a birthday party to go to. I just got back and i stubbled upon the Bitdefender 2009 RescueCD v2.0.0 - 6/30/09. Its up-to-date and I'm willing to try it tomorrow or any other free antvirus RescueCD from this site: Free Antivirus RescueCD's

    Thanks everyone!!! Tempers rule

    EDIT: Just got back from neighbor's. The BitDefender 2009 RescueCD was working perfectly and it found a couple of infected files. Then when it got near the end the window just disappeared. It didn't show which files where infected or anything it was just like in the middle of the scan and the window closed. I'll try again later.

    ~ Jon
     
  18. dragon574444

    Member dragon574444 GBAtemp Regular

    Joined:
    Dec 25, 2007
    Messages:
    287
    Country:
    United States
    My uncle had this exact virus. I ended up having to use the recovery partition on his PC and all that jazz.
     
  19. jaxxster

    Member jaxxster The Heretic

    Joined:
    Oct 31, 2006
    Messages:
    2,423
    Location:
    South East London
    Country:
    United Kingdom
    Like i said, make sure you're running this stuff in safe mode.
     
  20. tal32123

    Member tal32123 GBAtemp Regular

    Joined:
    Apr 14, 2009
    Messages:
    156
    Country:
    United States
    thats a huge friggen list
     

Share This Page