new virus I cannot get rid of...

[cubby1223]

I've seen this on a 3rd computer now in short time and still don't know how to remove it.

The noticeable symptoms are extremely slow computer, two explorer.exe processes, a bunch of cmd.exe processes, msiexec.exe processes, occasionally a notepad.exe process, msdtc.exe process. In the user's temp directory, there are many folders and inside each folder is a structure like an Internet Explorer cache directory. If I use task manager to end the explorer.exe process, all the other processes listed above go away, and the computer returns to normal. But obviously without explorer.exe running you cannot really do much.

1st computer I saw it on was an ancient Athlon XP machine with WinXP, never tried to remove the virus, instead sold them a C2D Win7 system.

2nd computer Malwarebytes picked up on something it called trojan.FakeMS which is a very generic term, once removed the system was back to normal.

3rd computer, nothing is picking up on anything. Rkill, combofix, tdsskiller, malwarebytes, hitman pro, adwcleaner, mse, kaspersky, hijackthis, none of them are identifying anything as a problem! I checked where the problem file was identified on the second computer and nothing is there on this machine. And unfortunately this system has a lot of old software needed for the business I'm not sure I am capable of reloading Windows from scratch.

Anybody seen what I described and have any tip that might help? Thanks

 

[rumpleforeskin]

After trying all those malware/virus scanners and still not identifying the problem you are almost certainly in a position where restoring your backup will be quicker than finding a solution.

 

[cubby1223]

These aren't my machines, I work for whomever calls me for help. Don't always have a backup available. And, I've seen this same thing on 3 independent systems, probably going to see more shortly.

 

[PliotronX]

You could give Herdprotect a shot and then there is something called OTL that logs a bunch of stuff that you can post over at Bleeping Computer and those guys are good at picking apart stuff that doesn't belong. Lordy do I love me some specialized software with lost license information from defunct vendors. I know your feels, man.

 

[Elixer]

Are these all XP machines?
Would also have to see what is running at startup before you can debug this.

It is possible that you have multiple instances of explorer if it hangs...
I would also run memtest86+ on these, let it run overnight (if you can) and see if it shows anything wrong.

 

[cubby1223]

On this machine this virus disguised itself as AVG. I didn't see it at first because the company has AVG on all their computers. After I used the manual uninstall tool, and saw an AVG directory was still "there", I noticed it was not where it should be located. Once that directory was deleted out, things went back to normal on the computer.

At least I hope this is settled for the long run. I don't know.

But still not happy it's not being picked up reliably by any of the software I'm throwing at it. With the variations from one system to the next, whoever is creating this problem is probably continuously making minor tweaks to avoid detection.

 

[Chiefcrowe]

I'd also recommend running an AV from bootable media, have you tried that yet?

 

[cubby1223]

I'd also recommend running an AV from bootable media, have you tried that yet?

Yes, I generally pull the drive out and connect it to another system

 

[PliotronX]

Have you tried the standalone Malwarebytes Anti-Rootkit? bootrec in WinRE?

 

[Kaido]

I love me some specialized software with lost license information from defunct vendors. I know your feels, man.

Seriously man...I just did an install for a dude who was using a specialized software package (no CD or license to re-install, of course), where the company had gone out of business...in like 1999. I was able to somehow manually extract an install package using the embedded license key, but then we found out the program was capped at 1GB RAM...no, not that it USED 1GB of RAM, that it couldn't be run on a computer with MORE than 1GB of RAM!

Ultimately ended up doing a P2V & stripping the OS down (XP), then sharing the printer virtually through the host OS, with a VM capped at 1GB system RAM. It worked. It was a horrible solution, but it worked

 

[Kaido]

On this machine this virus disguised itself as AVG. I didn't see it at first because the company has AVG on all their computers. After I used the manual uninstall tool, and saw an AVG directory was still "there", I noticed it was not where it should be located. Once that directory was deleted out, things went back to normal on the computer.

At least I hope this is settled for the long run. I don't know.

But still not happy it's not being picked up reliably by any of the software I'm throwing at it. With the variations from one system to the next, whoever is creating this problem is probably continuously making minor tweaks to avoid detection.

Yeah I just ran into one like that last week, drove me NUTS! Adwcleaner was actually the only one that could detect it. Like PliotronX said, give Herdprotect a shot. I would also install an Avast trial - it's pretty good about picking up things like modified DLL's & hidden svchost redirects, which is what clued me into the problem & which eventually got solved using Adwcleaner. It was a dropper too, so not only would it modified DLL's, but it would then drop other crap all of the system (also invisibly). Total nightmare to clean off!

 

[xgsound]

The op didn't mention "Junkware removal tool". I've never needed/ used it yet for removal so YMMV. I've heard it catches some overlooked items and it is available at Bleeping Computer. One more tool for the arsenal.

Jim

 

[LPCTech]

I find that you can usually get a computer fully clean with this combo done in this order:

Boot to safe mode with networking
run rkill
run junkware removal tool
run Hitman Pro
reboot into normal mode
run ADWcleaner
reboot
run revo(remove anything odd that is recently installed)
run jetclean(you can use this to uninstall programs revo cant see then do the 1click fix)
run autoruns (uncheck everything thats yellow and anything obviously malware, or skip this step)
reboot
run "sfc /scannow" from an admin command prompt when its done reboot

This will fully clean a pc most of the time. I know of 4 malwares that this will not remove, but im sure there are others. ie. poweliks

 

[chin311]

Try running Malwarebytes Anti Rootkit, it's gotten rid of some *#&$ others wouldn't for me.

If no luck, the usual suspects as mentioned, combofix, malwarebytes antimalware, hitmanpro, TDDSkiller, etc etc

 

[DigDog]

GMER when you have nowhere else to turn.

(note: it will happily destroy your pc if you misuse it - read the instructions - save your data)