Now I have had several systems to repair with Antivirus XP 2008 and it goes without saying - I CAN get the job done!

One of the standard Modus Operadi (Lina can correct if necessary :cool:) is to do the Windows updates. After all, customers seem to NEVER have their updates done! Usually I have to re-register the dll files (I almost have that list memorized LOL) and the failed installs complete with no problem.

NOW for the STUMPED part!

Client called late yesterday afternoon and proclaimed they had gotten a virus and the antivirus (corporate customer so this is the corporate version which is different from the standard antivirus used by most here) had been disabled. Now I remember Steve (or was it Scott) talking about a new strain that operated that way? ? ?

Well, I pick up the system, pull the hard drive, run SAS, AVG Professional 8, MalwareBytes, and cleared the tmp files (actually I cleared the tmp files before doing any of the scans). Got an all clear from all scans so hard drive put back into it's own box (I should say I am ACTUALLY working with an imaged drive not the client's drive right now), download current SAS and start the usual registry identification of AntiXP2008 and remove them. Found the 19 entries and cleared them. Rebooted machine and ran Antivirus and SAS and everything came back clean. OK this is usual and I start to do the Windows Updates. . . . . .

WELL this is where things got REALLY strange - I have NEVER had this happen before (and I mean NEVER)! out of 33 updates ONLY 2 would download and install. The rest FAILED at downloading! I have had failures at INSTALLING but NEVER at downloading!

Well, I had a trouble report to MS several months ago and I printed out that gem! It goes through re-registering the dlls, forcing windows updates, clearing the software distribution folder, and several other steps.

Since I was not even getting a download, I decided that the dlls were not the issue so I went to the forcing the windows updates - there is a specific file that you have to get from MS to do this - and tried again. Nope not downloading. Next step is to stop the update services, rename the Software Distribution folder (they suggest sold - I decided on sdold), and then starting the update services again. Then going to Windows Updates.

I would like to say IT WORKED! MS recreated the software distribution folder and log and did the downloads successfully and then the installs went right in.

This HAS to be a update of the Antivirus XP 2008 mutation since that is the only infection that was found on the computer.

Ive not seen that happen with XPAV2008, it's more of a Vundo trait. But I never say never.

Scotty,

I hadn't seen it with XPAV2008 either - that is why it had me stumped for a bit.

But the system is back in production and the client is VERY happy at my one day turn-a-round.

Of course, it was a SEVEN hour job - but NO DATA was lost! AND that would have taken TWO WEEKS to recreate IF they could have recreated all of it. So my 7 hours looks like a drop in the bucket to them AND I look like the hero I am :D

AND before you say they could have replaced the computer for less than my hours - this client had NOT listened to me. They were NOT saving their data on the server :mad2: where it would have been backed up daily. They were saving it to their workstation. That has been corrected. :D :cool:

I wasnt going to say a thing.:D

Im not a fan of formatting and starting over. Yes I know it only takes an hour to reinstall Windows, but it takes weeks to get the computer back to the way you like it.

I wasnt going to say a thing.:D

Im not a fan of formatting and starting over. Yes I know it only takes an hour to reinstall Windows, but it takes weeks to get the computer back to the way you like it.
Scotty, I have only one word....Acronis, Acronis, Acronis. (Said 3x but they still don't listen.) :D

Good point Cindy. Someone here and I believe it is Kelly, makes an image file of the client system before doing anything and I do the same thing if I know I am going into "dangerous waters", but I disagree completely with trying to save a system when it is completely farkled. It takes an hour to do the OS, and a bit of time to reinstall programs but for the average user, hardly days or weeks to tweak system back, they mostly tweak nothing and rather than spend 7 hours trying to fix a system I can copy out files and data and reformat and reinstall and be back better than they were in a few hours, without discovering some unfixable thing at the end.

Rich,

That is very true with the home user clientelle, but in the corporate area, managers look at the employee as being unproductive for the time they are restoring back all their data, documents, spreadsheets, powerpoint presentation, newsletters, emails, address books, and printing definitions.

The managers are more than happy to pay for me to protect all that information and settings with one day out of production than have the employee spend even a few days when they could be working at what they are suppose to be doing for THEM (the managers).

In my case, the user not only had documents in the "correct" places, but they had saved them to the desktop, the root of C:\, and in self defined folders on the C:\ drive. And I am pretty sure that there were even some buried in the applications installations in the Program Files area (like Quicken USE to do!).

When I delivered back the system the General Manager was VERY happy that I had retained all the data and his secretary could just start the day as if nothing had happened. The secretary was happy since she could get "back to work".

Sometimes you have to know your client to add value added services. When that service has immediate value of getting someone back to work in their own comfort zone, the cost is recognized as a necessity not a gouching (sp - again Lina can correct :D).

Dan,
Once again I think it is method here more than anything. If you make the ATi image file then you have all the files and documents in exactly the same place because you install Windows and then the first install is Ati and then you bring back the files and data from that. Want to see exactly what it looked like before well there again you have the image file to explore and what you don't have, it the little grey areas of the registry that never affected anything you were fixing that are still screwed up and will come back another day to haunt. It's what you don't know and don't try that will eventually come back to haunt. Once again if you know exactly how the pc should be set up, then you know enough to recreate it with a clean Windows Registry which you will never get completely the other way, IMHO. BTW I in no way meant gouging either going the other way, just methodology.

.

Sometimes you have to know your client to add value added services. When that service has immediate value of getting someone back to work in their own comfort zone, the cost is recognized as a necessity not a gouching (sp - again Lina can correct :D).

Dan, would be glad to oblige if I knew what you meant .. :confused:

Per chance, did you mean gouging?

If not, we'll just add gouching to the KH dictionary, just as
we have the word farkle. .. ;)

Dan, would be glad to oblige if I knew what you meant .. :confused:

Per chance, did you mean gouging? YEP that is the one :D

I am posting a blog on this issue of Antivirus XP 2008. You will face:palm when you see the fix. But rather than post a link to the blog, I will post the contents.


----------------

Antivirus 2008, 2009, etc

There are many variants of the AV2008,AV2009, MSAV virus/malware out right now. Most of the removal guides are not very complete - including TrendMicro, Symantec, and many forums.

What I have found, is that most fail to remove the actual driver/rootkit that is running. Although the other portions are removed, and the system may seem to be running "ok", you will become frustrated if you have to install something with Windows Installer, or an msi product. This crapware breaks the windows installer service, and none of the MSKB's will help you in fixing this. You will not be able to re-install any version of installer. The reason: the rootkit locks the registry keys required to reinstall or use windows installer. It also breaks .cmd files from running. It also breaks certain parts of network connectivity within Novell environments; I am not sure about AD, but it probably breaks mapped drives. It will not be removed or even recognized by most A/V products. Including fan boys Spybot, AdAware, SuperAntispyware, ComboFix, BigFix. So you'll have to do some dirty work yourself. It really isn't that difficult or involved, you just have to use some common sense.

You do not need to be in safe-mode to remove this virus, so if you are fixing remotely, you can follow these instructions.

Download and run the latest version of Autoruns from www.sysinternals.com. Make sure to run this as administrator. Hit ESC when it starts scanning. Go to Options and check all three options. "Include Empty Locations" "Verify Code Signatures" "Hide Signed Microsoft Entries". This will create a smaller list of items to sort through, as well as show you items that may be attempting to masquerade as Microsoft.

Assuming you have already performed the initial clean (you can find several forums with detailed instructions, Symantec and Trend both have detailed removal instructions as well.) you will be wanting to pay special attention to the "Drivers" section. You can take the time to google each item if you aren't sure what they are. The driver you are looking for has a random name. In one case, it was zjjzzjjzz.sys. In another, it was swuummni.sys. Basically - if you google the name of the driver, you will likely get ZERO results. This is actually a good thing, since it is likely the driver you need to remove. It may show up as "Cannot find file" in Autoruns. Another way is to go to device manager, show hidden devices, expand out the "Non-Plug and Play Drivers". Some things show up in Autoruns that don't show up here, but so far, this driver DOES show up in device manager.

Once you have identified the driver, download and install the latest version of Unlocker. Open up a cmd prompt (as administrator, of course) cd to program files\unlocker. type: "unlocker c:\windows\system32\drivers\[name of driver].sys"
Hit enter. It may say "No handles found: what action?" In that case, select delete. If it IS locked, then select "delete" and click "unlock all".

Then in device manager, right click on the driver, select "disable". (don't reboot.) Then right click, select uninstall. (don't reboot.) Delete the entry in autoruns.

Reboot.

Verify that the driver no longer exists. (You may want to use GMER to view the file system, if it doesn't show up, then check hidden items only. If it shows up, select it, press kill, then delete. I haven't needed to do this yet.)

The locked registry keys shouldn't be locked anymore, and windows update, and other MSI products should work. If not, the MSKB on MSI Installer - Reinstall should work.


**EDIT**

I work at a hospital, so we get many infected machines. Another virus that showed up today, (didn't know it was a virus at first) was completely ignored by Trend, and by mistake, found that NOD32 had trouble with it too. It recognized it, but was unable to remove it. On the first machine, we got a call that the computer was "unresponsive". Would hang on reboot, and after hard booting, it would hang shortly after login (locally, or network.) So the first one, I did all my normal investigative work - in safe mode, because that was the only way it wouldn't lock up. I didn't see anything out of the norm, and RootkitUnhooker didn't see suspicious behavior, nor did GMER. The key here: I wasn't looking closely enough. I reimaged that machine because I had already wasted enough time. Then two more came up. So I looked closer. And wouldn't you know, under Image Hijacks (Autoruns), explorer.exe was attached to c:\program files\microsoft common\wuauclt.exe. Doh. Then it was simple to just remove the file and kill the registry entry. BUT.... When I plugged the usb key I had used on that machine to my computer back at the office... my computer running NOD32 found "autorun.inf" virus right away. And before I could react, it rebooted and then NOD32 was unable to remove. Manual removal was possible without booting into safe mode, maybe because NOD was at least doing something. But be aware.

--------------------------
-------------

link to blog:

http://slideeffects.blogspot.com/2008/09/antivirus-2008-2009-etc.html