Link to home
Create AccountLog in
Avatar of afflik1923
afflik1923Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Found virus boaxxe.dll and others. IE wont start - recommend new anti virus

Hi,

The attached screen shot shows a virus found on a PC in my clients network.
I've used Hijack this, Spybot and deep scan on windows defender and these viruses still reside.

1) Can anyone advice on how to remove?

Also IE will not start and when you try and instead the virus scan pops up and finds another virus on explorer.

Another computer (at least two in fact) on the same network has the problem that when you enable the virus scan, after a few moments it just disables itself again. I cannot see any reason why this would happen.
2) Can anyone advise why Mcafee virusscan 7.1.0 just disables itself on at least two PC's

I've thought for a while it's time to beef up the securoty on this network as I've found a good few spyware and virus on it, but they are already at performace capacity and my experinace on more recent anti virus is they are so resource hungry.

3) Is this anto virus very old and week and should I upgrade network to better, if so what?

Thanks for any input.
Avatar of IndiGenus
IndiGenus
Flag of United States of America image

Hi,

1) Go ahead and post your HijackThis log so we can see what is going on here.

2) It is probably not McAfee disabling itself... but more likely the active malware is disabling the AV.

3) I personally recommend using Kaspersky security products. But that is just my experience. Everyone has differing opinions on this.
ASKER CERTIFIED SOLUTION
Avatar of vague_hit
vague_hit
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of afflik1923

ASKER

kaspersky has helped. CAn now open IE and have managed to do a whole load of Windows updates.
Alaz I cannot control Kaspersky remotely. Very frustrating. I cannot click on anything so cannot run a fll scan.

hijack this still reports the problem and cannot fix it (I remve the entry but it comes back) so the virus file does still exisit on the PC, just with Kaspersky installed it seems to have less influence on system/

The file is
advapi3.dll

and this resides in:

C:\windows\Sstem32

Super Anti Spyware also finds it on a scan (As an unkonwn) but it comes back again on each scan. So it has not been fully shaken off yet

Also when booting up two windows explorer windows open trying to get me to buy dodgy anti spyware software suggesting a definate infection.

What to do?

SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
HI,

quick update. Due to the issues, I tried drastic meaures. AFter many things tried I attempted using BartPE to boot up and rename the offedning files (KAspersky indicated two similarly named DLL files in system32).

However this broke Windows and when booting when the login screen would come it just reset itself therefore on an endless loop.

Used Bart PE to try and reverse my changes but still broken.

Then I tried repair install which worked. Tred Safe mode boot and then ran www.Malwarebytes.org.

Found 7 things, Removed them rebooted, back to exactly where I was.

I regrest not just deleting the files before I done the repair install but I will have to try that next time.
I ran out of time to try anythig else.

All I know is, this is a VERY persistant spyware / virus that has so far beaten everything I have thrown at it.
is kaspersky still running in the background?  make sure you are not running two virus programs at once, just have kaspersky for now.  run it again, making sure it is set to scan all files on all drives and once it is finished tell it to delete all infected files.  do NOT go in and delete them yourself.  Post back and let me know which trojans/viruses it tells you you are infected with.

Also, I do not see a link to any screenshots in your first post, could you describe what you see?
As it is a cliemt PC I ahve to go on site to get them and not due for at least a few days now (PC is disconnected from network)

KAspersky (trial version) actually tells me less then Mcafee did but they both pointed at the same files (As did Hijack this)

I remopved mcafee before installing Kaspersky trial.

From memory Kasperky finds (as did Mcafee but mcafee also called it boaxxe.dll):

advapi3.dll
advapi3.dll__

and they reside in:
C:\windows\system32

I compared this so a random working system and that had a file called
advapi32.dll


Soon after booting KAspersk flags these fles and the only option it gives is to skip them (two warning pop up).

I also tried moveonboot after following:
http://answers.yahoo.com/question/index?qid=20080708012505AARRMPC

but no luck either.
Spent a lot of time on this virus. Never had such a hard one.

yep what im asking is what virus it specifically says those files are infected with.

yeah, mcafee has a better virus database, just Kaspersky gets rid of things better.

THe only option it gives is to skip them?  that's odd.

but yes, once you know what exactly comes up on the screen when Kaspersky finds the file and flags it please post it here and I can do further research.
Can you post a current HijackThis log. It may give us a much better idea of what we're dealing with. There are specialized tools like the one rpg advised (combofix), and HJT would give us an idea of what needs running.
That file, advapi3.dll, is in the combofix changelog and would be dealt with by running cf. I would still like to see a HJT log first but...
IndiGenius has kindof beaten me to the punch with this, but please follow the instructions on this website:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and then post the combofix log for me (log.txt)

you may need to perform the steps on site as it involves installing the recovery console.

thanks!
oh, and ensure that no other anti-virus or malware program is running or memory resident while you are running combo fix
Actually, rpggamergirl beat us all by about 4 days....advising cf back on the 15th. :)
hah no kidding, you're right i completely missed it.  maybe afflik1923 did as well?  it appears to be the one thing that will clean his computer, going by the research i've been doing on the net
OK, next time I'm in the office I will try and do these things. I resitsed posting the HIjack this log because it has entries that identify the client and whlie not the end of the world did not want to advertise a compromised PC (maybe network).
but I guess I can filter it out.
Anyway, when I put the hijack log into the analysier on the website it only comes out with one bad entry which is the file indicated before.

Kaspersky gives only the option of skipping because the clean / remove options failed so it gives the only option left of Skip.

Anyway, the sooner I Get the note of the PC "Do not use" the better.

Thanks for efforts so far!!
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
dont worry about hijackthis if you dont want to, but please run combofix and let us know if it fixes the problem.. if anything, the suspense is killing me!
Hmm, OK I had learnt to just rely on the anaylis tool online. I'll definetely post if then as soon as the next time I'm there.
(although I'll probably also use the opportunity to delete the two files, and then try a repair install - last time I renamed them ,and then renamed them back before trying the repair install)

I really think you should actually read the page I posted you a link to before for combo fix and DO THAT FIRST

my reasoning?   1. you've tried deleting the files before with no success 2. a repair install is very time consuming 3. combo fix has actually worked for many people where as going in and deleting the files hasn't

it's a regenerating virus and combo fix is a tool that attacks it specifically and deletes it.  from all the evidence I can see online, there are more than two files that the virus utilises but they are the ones that get 'flagged' ... the number is actually closer to around 12-14 but most of them are 'dummies' that are injected with the active code when you delete any of the files active at the time.
I have now run Combo fix and attached the log file.
I have also then afterwards run hijack this again and attached that log file.

I have not yet reinstalled anti virus but judging by the hijack this logfile it looks like it is still there, however maybe it will be able to remove the entry now.

I will shut the Pc down. Await feedback and then on next visit resume furhter to recommendations.

Thanks

combo-fix-log.txt
hijackthis.log
Actually before I leave I will try again and fix the following problems in hijck this.

[?] - O2 - BHO: (no name) - {9769C0DD-5600-49CF-8A1E-74BCDF1AD690} - C:\WINDOWS\System32\advapi3.dll
[?] - O4 - HKLM\..\Run: [PspUsbCf] pspusbcf.exe

Previously the advapi3.dll one just reappars after trying.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

go to the website.  install the recovery console according to the instructions. run combofix again. it cant do as much without the console, which according to it's log file has not been installed.

has there been any change regardless with the computer?
I've not reinstalled the computer with anti virus yet. The PC is a free workstation marked out of use so will never be sure if there is any detrimental effect on performance, but I just want to know the virus is gone before I reconnect it to the network. (So also cannot work on it remotely)

AS SOOOO many hours have been spent on this I'm beginning to accept defeat and re-install.

Did the logs reveal anything?

I will try and do it wiht the recovery console next time I am onsite.
@afflik1923

I sympathize with you and understand how frustrated you probably are. I also hope you'll take my comments as constructive "advice".

You seemed reluctant to take the advice you were given along the way here. I think if you had just posted the HJT log right away and then taken the advice to proceed, most likely with combofix, you would have saved A LOT of time and pain here. You had 3 experts helping you here that have probably countless thousands of hours of PC troubleshooting and malware removal experience.

As far as what the last cf log revealed, likely one of the biggies was this driver:

R0 gtbfoonj;gtbfoonj;C:\WINDOWS\system32\drivers\ybwumkyc.dat []

It's just a randomly named driver and file but it was likely preventing complete removal of all items. You should install the recovery console and if you would like a script to run with combofix let us know and one of us can provide that.

Regards,
Dave
Fair points Dave. Sometimes trying to apply the quick easy fix ends up being more painful then having just tried the first suggestion along the way.

The frustrating part with this particular PC is the limited access, but I'll try the recovery console next time I'm in.

Thank you ALL for your input on this matter.

Yes having limited access to a malware infected PC is not easy. Most times I take them back to the shop, unless it's a quick simple fix. I like to do several scans after the initial cleanup, and that takes hours so it's something I can start and just head to be while they are running.

Sorry this hasn't worked out better for you,
Dave
Used the  console on htis. Still no luck. In the end reinstalled the PC.
Will award point shortly
Thanks for input. As said never resolved this and re-installed. Treid ALL suggestions in the end. Points slighly randomly awarded as all input was useful. But never actually solved it.