• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2112
  • Last Modified:

How do I remove IApro.exe (Internet Antispyware).

I have come across this virus before and was able to remove it, but this time is seem far better protected. Its file are more hidden and it resets the computer when detected . I used Hikack-it and thee are some of the entries that show up in the log file, but  they don't show up on the fix-it screen, so I am unable to remove them. One of its major defense is to reset the computer upon being detected that prevent superantispyware  from running . When I do a search and type in IApro.exe., it will reset the computer. This is a real challenge for me- HELP!!!

 c::\program files\Internet Antivirus Pro\IAPro.exe
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
- Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O4 - HKLM\..\Run: [CPMcb662f34] Rundll32.exe "c:\windows\system32\bepijote.dll",a
O4 - HKLM\..\Run: [fubinenisa] Rundll32.exe "C:\WINDOWS\system32\delopozo.dll",s
4 - HKCU\..\Run: [Internet Antivirus Pro] "c:\program files\Internet Antivirus Pro\IAPro.exe" /s
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe



 
0
mc2explore
Asked:
mc2explore
  • 5
  • 5
  • 3
  • +3
14 Solutions
 
mikeewaltonCommented:
Try Maware bytes free edition.

http://www.malwarebytes.org/
0
 
skywalker39Commented:
Hi mc2explore,

I agree with mikeewalton with try using Malwarebytes' Anti-Malware. Also here's some other one's to try: http://www.pctools.com/spyware-doctor-antivirus/
      http://www.pctools.com/free-antivirus/
     
Also I recommend updating the anti-virus applications definitions, and try running them in both Normal Windows and in Safe Mode, also do a full scan.
0
 
warturtleCommented:
Hmm.. restart your PC in safe mode (without networking) and then run SuperAntiSpyware. Let us know, what you find. Alternatively, if you haven't installed it, then download it again and save it with a completely different name like jabba.exe and run it.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
johnb6767Commented:
Can also use Combofix. (stolen from rpggamergirl's postings...)  :)

See if you can get it to scan in Safe Mode.

Here's the instructions, if it doesn't run at first, then redownload and rename before saving to your desktop.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Personally, I wouldnt install the recvovery console.
0
 
mc2exploreAuthor Commented:
What ever I try the system keeps resetting in the middle of a virus scam safe mode or normal mode. If I could eliminate this issue, which seems to be a protective device of the malware, I may be able to get some were.
0
 
johnb6767Commented:
In this case, I would scan the HDD from another machine, while it is slaved to it. That way you can manually delete the files if you know where it is, because it's protective DLLs are not loaded into memory. You can also load teh slaved drive's registry hives, and remove the startup entries etc....

0
 
johnb6767Commented:
Try this.... If Safe Mode, it will need to be done in Safe Mode....

Go to c:\program files\Internet Antivirus Pro", and Right Click Iapro.exe. Go to the Security Tab, and Remove all the top entries (usernames/groups) except for System, and your UserID. Might need to go to the Advanced Tab, and uncheck the top box at the bottom for Inheritable Permissions, and then click COPY.
Once you have selected COPY if needed, click OK, and then remove all but the two entries.
Click DENY, Full Control, and hit OK.

You can even do this for the following files...

C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\delopozo.dll
c:\windows\system32\bepijote.dll

If you have made it this far, reboot the machine, and IAPro.exe shouldnt be running or the other ones protecting it).

Once you verify they arent running, remove the startup entries, and if successful, reboot.
If you cant remove them, just move on to try and delete them. This can be done by going back to the files in Explorer, go back to the Security Tab, and grant YOUR user ID Full Control. Click OK, and then try and delete them....

Might need to do the other three files first, in case the IAPro plays hard to get. I have found this method to be Time Consuming, but I have removed ENTIRE Rootkit infections this way, that no other method would allow. It also works for Registry Keys, that keep appearing. But if you go further than a few files, you need to keep a log of the files/keys you modify, so they can be reset later.
0
 
JonveeCommented:
The above excellent suggestions may well have resolved your problem but if not, try renaming ComboFix before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent media).  Rename it, then connect to the problematic machine.

Also, before using ComboFix disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.

Recommend you try initially to run Combofix in normal mode, although it works well in normal mode or safe mode.

If it's convenient, an alternative would be to remove the infected HD, connect it as a 'slave' in another machine, then run ComboFix from the new machine.

0
 
JonveeCommented:

Hmm sorry, just spotted that johnb6767 had already mentioned slaving to another computer.  Incidently if you decide to slave, you may want to run Malwarebytes initially, from that second machine.

You could also try Trend Micro's free online virus scanner, while you are there:            
http://housecall.trendmicro.com/uk/

Finally, if ComboFix doesn't completely remove all infection, we could re-run Combo using a small appropriately worded script to do it.
0
 
warturtleCommented:
Alternatively, you can create a Dr Web CureIt boot CD from the below website:

http://www.freedrweb.com/livecd/

Make sure to read the instructions in the ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf location and burn the iso file as an image and not like a data CD file. This CD will boot up your PC and scan for viruses and remove them.

Hope it helps.
0
 
mc2exploreAuthor Commented:
Before posting my question I tried:
Removing the drive and scanning it from a another computer as the slave. This had worked in the past, but  didn't work this time for this spywar  I also tried to find the folder and IApro.exe the executable part of the propram , and the search came up with nothing even though Hi-jack it log file revealed it. As I said this malware seem to have been rewritten and far better protected this time.

This is latest I have attempted based on posting.
I downloaded malwarebyte and tried to update it. It was prevented from updating. So I ran it with the existing definition in normal mode. The malware reset the computer in the middle of scanning. So Then i tried  the axact same thing in safe mode. Unfortunately it partually updated but before completing the computer lockup totally. no mouse,  no keyboard. The only thing I could was shut down the computer. upon reboot I got the following message:

"The following file is missing or currupted.- \windows\system\config\system" and that was as far as the boot up would go'. I can no longer boot to windows.

May have to reformat drive and end it there, but I was hoping to l'ick' this thing with the help of the experts and learn something from it in the process. I tried to repair boot sector but to no avail.

Thanks.
0
 
warturtleCommented:
Try the Dr Web CureIt boot CD before starting the formatting process, it might help.
0
 
JonveeCommented:
Also before reformatting you could take a look at these articles which may provide a chance of a quicker recovery>

"How to recover from a corrupted registry that prevents Windows XP from starting":
http://support.microsoft.com/kb/307545

and ..

"C:\windows\system32\config\system missing or corrupt":
http://www.help2go.com/Tutorials/Windows/C:%5Cwindows%5Csystem32%5Cconfig%5Csystem_missing_or_corrupt.html

0
 
JonveeCommented:
Or see what you think of "Windows XP Crashed? Here's Help":
http://webcast.broadcastnewsroom.com/articles/viewarticle.jsp?id=8658-0
0
 
johnb6767Commented:
I would really look at the integrity of the HDD. System hive showing up corrupted out of the blue, havent seen that often enough to warrant that the corruption of that hive was to be blamed on a malware.virus.....

Check out the HDD with the MFGR utility diagnostics....
0
 
mc2exploreAuthor Commented:
Thanks for your help.. I am going to close this posting and distribute points if that is ok.
0
 
johnb6767Commented:
I think thats fine, are you just gonna start from scratch?
0
 
JonveeCommented:
Ok, good luck with your next move.   You know where we are should you require further advice.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 5
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now