Tricky Combo of Virus Symptoms

[molotov256]

Hey all... I'm hoping this is a simple fix somebody has been through before, but it's got me stumped. I've done a pretty good amount of rouge removals, but this one, Antivirus Antispyware 2011 on XPSP3 (P4 tower), is better defended than usual.

Ran RKill then MBAM which got rid of visual annoyances, but I still can't run .exe's unless in safe mode. Went to safe mode to run combofix, but it can't run without uninstalling AVG. I don't know if this was a good idea or not, but after recent experiences, I decided to run the AVG removal tool to remove it rather than do it from add/remove programs. Unfortunately, the tool restarts the machine in the removal process, and during the restart, the virus component which blocks EXEs from running intercepted the AVG removal tool before it could continue. (Perhaps I could have F8'ed it and it could have continued? Maybe, but it's too late now!).

Now I'm really at a loss as to how to uninstall AVG, and I feel uncomfortable running ComboFix while it still warns me it's a bad idea to do so. I'm going to start looking into manual removal options now (and possibly end up wishing I had just done that from the getgo), but if anybody has anything to contribute to this head scratcher, I'd be obliged, and maybe a handful of other folks would too.

 

[ZenTree]

Superantispyware have a tool which fixes the exe issue. There are various other posts on here going over the same problem if that doesn't work for you

 

[Kitten Kong]

Which OS is the fix for?. As I have 2 separate fixes depending on which version is required.

 

[erb]

Which OS is the fix for?. As I have 2 separate fixes depending on which version is required.

I believe he said Windows XP SP3.

http://www.dougknox.com/xp/file_assoc.htm
Scroll down to EXE

-OR-

You can create a file called whatever.reg, put this in there and import it into the registry (just double click it after you save it)

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

 

[Kitten Kong]

thanks for that. My eyes are playing tricks today.

I was going to post exactly the same fix.

 

[Xander]

The SAS program works on every version I've tried it on.

Had one last week that, while my drive was plugged in, 'systemed' all the folders and made shortcuts to them on the root with "...rundll32.exe ___.dll _folder_". Easy fix but geez.

 

[B Trevathan]

If you can run .exe files in safe mode and not in normal mode you are infected with some more than just antivirus antispyware 2011. Go ahead and run rkill and MBAM in safe mode, normally MBAM doesn't work as good in safe mode as it does in normal mode. Run SAS's Portable Scanner it will have a .com extension. In safe mode try running programs like TDSSKiller and GMER and aswMBR also run some offline scans with live CDs like Avira AntiVir Rescue System and Dr. Web Live CD. Try running Process Explorer and Autoruns in both modes. Hope this helps.

 

[molotov256]

Thanks all! I feel like an idiot, but I think I was just overtired last night - I had found the .exe fix from dougknox.com before posting, but didn't think it'd work without being able to open regedit. This morning, i put my head back on straight and it ran fine in safe mode, got me into the registry to re-enable task manager, and now I'm back in business. Much obliged! Still more work to be done, but getting past that hurdle was certainly helpful.

There's definitely more going on than just the Rouge AVAS2011 - looks like an MBR infection at this point. Hoping NTBR_CD with MBRFIX should do the trick. I'll try and follow up once it's all said and done. Thanks again for all the responses.

 

[ZenTree]

I've definately seen an increase in scareware backed up by really good rootkits recently. Had one on the bench which stopped almost every rootkit tool on my thumb drive. Luckily not all of them though!

And to think that I used to think I had too many rootkit scanners

 

[AJ.]

Good info in this thread!!

 

[studiot]

I've been seeing malware embedded in hiberfil.sys and/or pagefile.sys lately, that won't be removed by the methods so far.

If you have this it will all come back again.

 

[ZenTree]

What about if you turn off hibernation and move the page file to a different drive?

 

[studiot]

Yes you can delete both files easily enough and recreate if required, though I always advise against hibernation.

The point is how do you know the file is infected in the first place?

I already routinely clear all system restore files and set a clean restore point at the end of decontamination, but it seems that these also need the treatment nowadays.

For the record I had two such in the last couple of days, one had Kaspersky, the other Panda.

 

[joydivision]

The SAS tool is great for fixing that. Just a damn shame there is a rootkit on the damn thing, hopefully SFC and replacing the boot sector should help reveal it.

 

[RegEdit]

Unless it's a mild infection, I delete suspect registry startup items with Bart PE or ERD Commander as step one.

 

[ZenTree]

Yes you can delete both files easily enough and recreate if required, though I always advise against hibernation.

The point is how do you know the file is infected in the first place?

I already routinely clear all system restore files and set a clean restore point at the end of decontamination, but it seems that these also need the treatment nowadays.

For the record I had two such in the last couple of days, one had Kaspersky, the other Panda.

So how DID you know that the hibernation and paging file were infected then?

 

[studiot]

So how DID you know that the hibernation and paging file were infected then?

Avast.

There is stuff on the net which suggests that this is the only program to find them, which bears out my experience though I don't usually expect standard AV software to do the trick.

So you can either just simply renew the two files as a matter of course for safety or scan with Avast (buy the rescue disk?) or only do this when the infections keeps inexplicably returning.

go well

 

[Vicenarian]

I've been seeing malware embedded in hiberfil.sys and/or pagefile.sys lately, that won't be removed by the methods so far.

If you have this it will all come back again.

Never seen this before; because the pagefile is used as swap space for RAM, maybe malware currently loaded in RAM was detected as being "in" the pagefile.

The same goes for the hibernation file; it is used to STORE the contents of RAM when the computer hibernates, which could also explain the antivirus detections.

 

[FoolishTech]

Never seen this before; because the pagefile is used as swap space for RAM, maybe malware currently loaded in RAM was detected as being "in" the pagefile.

The same goes for the hibernation file; it is used to STORE the contents of RAM when the computer hibernates, which could also explain the antivirus detections.

I've gotta agree with this. I find it hard to believe otherwise.

 

[Anderson Consulting]

Similar experience

I approached basically the same virus that you saw on your clients machine. I too agree, it was well defended and resistant to normal routine for fix, ugh. I approached from Malwarebytes angle too. It (Malwarebytes) got it. I too had exe issues and other miscellaneous windows OS issues all over the place. In these cases I do use ReImage to help. I know there may exist different opinions all over on this product/service. My experence with say 10 XP machines over the last few years it has always helped with seemingly haywire registry issues that could have taken a long time to fix with a diagnose/decision-process/fix/test thought process of my own. So from a cost-benefit ratio ...and to get out at the right price point for my clients I will lean toward ReImage. (PS I was running Panda Cloud Protection and suprised this got through, normally it is very good at catching.) I have added Malwarebytes full-time protection for this client...I find it plays well with existing AV, too.