[Mars]

I'm fixing someone's computer, and formatting is not an option. It's XP Home SP3

When I type the name of some popular anti__viruses (three of them start with Av) into search engines, Firefox crashes (no warnings or errors, it simply disappears), but no other search gets the same result.

I tried to circumvent this by downloading AV  - G on another computer and installing it via CD, but the installer does the disappearing act as well.


How the hell do I get around this thing? I was thinking about a bootable Linux CD with some sort of anti___virus.

[General Battuta]

I know formatting is not an option...

...but can you boot with a Linux LiveCD, save necessary files, and format the hard drive?

Formatting the hard drive is the only way to be sure. I almost guarantee you that nothing else will get rid of it.

[Mars]

Sounds like the best thing to do; thank you, I suspected as much but I didn't really trust myself. I need to wait until I can get a good sized external.

[Mars]

I've never seen a virus like that.

[Locutus of Borg]

Could it be Confickr?

[redsniper]

Kill it with Combofix!

[Rodo]

I had some troubles with a confiker, nothing like that (crashing the browser??) but it messed the dnscache or something like that.

run cmd and type: "net stop dnscache"

give av_  antivirus install another shot this time, without restarting the cpu.

[Polpolion]

I'm fixing someone's computer, and formatting is not an option. It's XP Home SP3

When I type the name of some popular anti__viruses (three of them start with Av) into search engines, Firefox crashes (no warnings or errors, it simply disappears), but no other search gets the same result.

I tried to circumvent this by downloading AV  - G on another computer and installing it via CD, but the installer does the disappearing act as well.


How the hell do I get around this thing? I was thinking about a bootable Linux CD with some sort of anti___virus.

It's probably either a process or some kind of registry setting. Either kill the process via task manager (If you can't open task manager because of the virus, there should be a small window of opportunity to start it just after logon but before the virus starts) then install the antivirus stuff or find and delete the offending registry setting. I dunno how well booting with a linux CD would work, just because it might have some conflicts when looking through NTFS file systems. Then again, I don't know much about linux.

[Sushi]

This is obvious, but...

have you tried safe mode?

[FUBAR-BDHR]

Couple of other things to try.  

Rename the installer for the antivirus and run the exe from the command prompt.
HijackThis to remove and BHO and unwanted startup items.  If you can't disable it you might at least get the name of the exe that are morphing.  If you can drop to command prompt and rename the to .bad you might be able to reboot and get the AV to install.
Spybot if you can get it to install.  

Also if you have a test station you can install the infected drive in that and clean it.  Only recommended if you don't care if the computer might get the virus.  Suggest updating the antivirus software, installing the infected drive, booting into safe mode and scanning before booting normal and scanning.

Forgot one more thing.  Make sure you run a full scan for each user on the system.  Seems the virus/malware can install itself to all the accounts on a system but antivirus can't remove it unless you are logged in under that user.  Had something like this on a machine with 5 users + admin.  Had to run 18 virus and spyware scans (twice for each account, once in safe mode twice regular boot) after disabling the darn thing to clean it out. 

[Polpolion]

Rename the installer for the antivirus and run the exe from the command prompt.
HijackThis to remove and BHO and unwanted startup items.  If you can't disable it you might at least get the name of the exe that are morphing.  If you can drop to command prompt and rename the to .bad you might be able to reboot and get the AV to install.
Spybot if you can get it to install.  

The renaming thing should work. If it's anything like the program blocks at my old school, it is indeed name based and changeable via system registry.

Also, to remove programs from startup list without having to install additional programs:

run: regedit

/HKEY_LOCAL_MACHINE
/SOFTWARE
/Microsoft
/Windows
/Current Version
/Run

It should be fairly easy to tell the virus apart from everything that's normal in the Run folder. Also, you'll probably need to do the same only under HKEY_CURRENT_USER to get the startup entirely.

[Klaustrophobia]

ccleaner has a nice tool for disabling/deleting registry startup items without mucking about with regedit.

the only other suggestion i have is to try to brute force the thing with every scanner known to windows from safe mode.  putting the drive in another PC may be a good place to start, but i got one that didn't get finished off by that.  it got into my boot files and i don't think those can be cleaned as a secondary drive.

[Nuke]

you know you can take the hard drive out of the computer stick it in another computer and give it a good scan. just make sure the operating system doesnt try to open the drive with autoplay.

[Mars]

This is obvious, but...

have you tried safe mode?

Yes, and disabling all of the unnecessary startup items. Some good ideas here though, and I'm definitely going to scan all of the user folders.

[Bobboau]

why is reformatting not an option?
I could understand it being an undesirable last option, but it is always an option.

its the only way to be sure.

and I have encountered viruses like this in the past, they are nasty as **** and they tend to have a subtle back door that silently pulls in the big payloads so you'll clear the system out, it will be acting as normal as ever, then four hours later it get's back to just as bad as it was before.

[Flipside]

Avira reported a virus in Crysis Warhead on Steam the other day...

Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
detected in file 'F:\Program Files (x86)\Steam\steamapps\common\crysis warhead\appid_17330.exe.

Probably (as in, almost certainly, I hope) a false detection, but still, first time any commercial program I've owned has ever fallen out with Avira...

[Klaustrophobia]

i've noticed a general increasing trend in false positives for antivirus in general these days.  i think they are all trying to beat each other by catching more at the cost of accuracy.

[Nuke]

i've noticed a general increasing trend in false positives for antivirus in general these days.  i think they are all trying to beat each other by catching more at the cost of accuracy.

i always figured it was virus programmers just jacking pieces of open sourced software (sometimes using the same libraries is enough) and using them in their viruses. i figure script kiddies are to lazy to write 100% original source. this is my theory of how false positives are detected. but i like your explanation better. it has that paranoid delusional conspiracy theory feel to it that i admire.

[Klaustrophobia]

most of my false positives have come from games.  i can't think of how anything in there would be something a virus author would want to copy. nor is it open sourced.

[Nuke]

games have file systems, and rendering engines, and direct access to things like input and output and named pipes. go figure operating systems have these things too. i can see how you would use sdl in the creation of a virus, for example. but thats just an example. the way viruses are detected is by a hash check that identifies distinct parts of the virus's machine code. if these parts of the code are in common with another application (they compiled in similar libraries for example), then it might detect those applications as viruses.