Malware/Virus loading into system memory AV can not get rid of it

[jnelsoninjax]

Somehow I got a virus in my system and now Kaspersky keeps warning me that it is there, but can not seem to disinfect. I have gone through the running items with a fine tooth comb and can not find anything that is out of place. I have located the file in windows/system32 it is reporting to be a driver or something belonging to Toshiba, since my system is a custom build, I know that I do not have any thing Toshiba in my system. I have tried booting safe mode and deleting the file, but the system has a lock on it and will not give it up. Short of reinstalling the OS, what other choices do I have? Perhaps someone might recommend me a linux distro that I can install on a USB drive to boot to and kill said file?

Here is what the virus is called:

[Nick H. Supervisor]

Have you tried using Unlocker to delete the file?

[goretsky Supervisor]

Hello,

 

Have you checked with Kaspersky Lab support?  I believe they have a bootable version of their software you can use to clean threats that cannot be removed from the filesystem while the threat is in memory.

 

Regards,

 

Aryeh Goretsky

 

[Mando]

4 hours ago, jnelsoninjax said:

Somehow I got a virus in my system and now Kaspersky keeps warning me that it is there, but can not seem to disinfect. I have gone through the running items with a fine tooth comb and can not find anything that is out of place. I have located the file in windows/system32 it is reporting to be a driver or something belonging to Toshiba, since my system is a custom build, I know that I do not have any thing Toshiba in my system. I have tried booting safe mode and deleting the file, but the system has a lock on it and will not give it up. Short of reinstalling the OS, what other choices do I have? Perhaps someone might recommend me a linux distro that I can install on a USB drive to boot to and kill said file?

Here is what the virus is called:

mate bin Kapersky and use a real AV, this getting the better of Kapersky only reinforces my personal rating of said platform.

 

That infection is a simple malware auto-run dropper, it aint even virulent enough to be named a "virus" the payload usually arrives as an email attachment.

 

http://download.bitdefender.com/rescue_cd/latest/

 

dowload the iso, make a bootable usb and reboot from it, update defs when the distro comes up and it will clean that as a flat file.

 

if it was me, i would then burn kapersky off the pc with fire and install another vendors offering.

 

personally I rate the following :-

 

1) Webroot Secure Anywhere

2) Nod32

3) Bitdefender Free/paid

4) Windows defender set to allow frequent scans despite having a 3rd party product installed.

 

 

 

 

[jnelsoninjax]

7 hours ago, Nick H. said:

Have you tried using Unlocker to delete the file?

Yeah, and it can not unlock/delete the file

5 hours ago, goretsky said:

Hello,

 

Have you checked with Kaspersky Lab support?  I believe they have a bootable version of their software you can use to clean threats that cannot be removed from the filesystem while the threat is in memory.

 

Regards,

 

Aryeh Goretsky

 

Thanks for the suggestion, I am going to try that

4 hours ago, Mando said:

mate bin Kapersky and use a real AV, this getting the better of Kapersky only reinforces my personal rating of said platform.

 

That infection is a simple malware auto-run dropper, it aint even virulent enough to be named a "virus" the payload usually arrives as an email attachment.

 

http://download.bitdefender.com/rescue_cd/latest/

 

dowload the iso, make a bootable usb and reboot from it, update defs when the distro comes up and it will clean that as a flat file.

 

if it was me, i would then burn kapersky off the pc with fire and install another vendors offering.

 

personally I rate the following :-

 

1) Webroot Secure Anywhere

2) Nod32

3) Bitdefender Free/paid

4) Windows defender set to allow frequent scans despite having a 3rd party product installed.

Well my sub expires in ~30 days and I have a webroot key that I got from @TEX4S so I am more then likely going to use it.

[Mando]

1 hour ago, jnelsoninjax said:

Yeah, and it can not unlock/delete the file

Thanks for the suggestion, I am going to try that

Well my sub expires in ~30 days and I have a webroot key that I got from @TEX4S so I am more then likely going to use it.

the lock will cease to be an issue if you boot form a linux live anti-v distro.

 

Good lad your PC will feel like a super fast new version, kapersky is way to invasive and system resource hogger.

 

WSR currently is using 7mb of resident ram while im surfing and an install footprint of 3.1mb, that would barely be enough for Kaperskys executable ?

[jnelsoninjax]

@Mando I tried to create a bootable usb drive using RUFUS and bitdefender iso, the first time I successfully booted to it, but I could not click on the accept of the EULA, I tried putting a wired mouse in the system and I still couldn't check the box. I then attempted to use RUFUS to create the drive using the Kaspsersky image,, it fails about 1/3 of the way in, as dose Kaspersky's own tool. Now when I tried to redo the USB with Bitdefender, it goes all the way to the end, then pops up an error about a file in use by explorer.exe -r. What other choices do I have now? I am leaving for work in 30 mins and won't be home till after 0:00, so please throw some advise my way!

[ITOps]

You should use another computer to create the boot disk.

[+BudMan MVC]

^ Very true!!!  A compromised box is not really a clean room ;)

[jnelsoninjax]

I tried Bitdefender's ISO again (clean system), and I successfully booted to the USB drive, but Bitdefender will not load.

[Circaflex]

30 minutes ago, jnelsoninjax said:

I successfully booted to the USB drive, but Bitdefender will not load.

I don't quite understand, can you explain this more because they seem to contradict each other.

[Mando]

17 hours ago, jnelsoninjax said:

@Mando I tried to create a bootable usb drive using RUFUS and bitdefender iso, the first time I successfully booted to it, but I could not click on the accept of the EULA, I tried putting a wired mouse in the system and I still couldn't check the box. I then attempted to use RUFUS to create the drive using the Kaspsersky image,, it fails about 1/3 of the way in, as dose Kaspersky's own tool. Now when I tried to redo the USB with Bitdefender, it goes all the way to the end, then pops up an error about a file in use by explorer.exe -r. What other choices do I have now? I am leaving for work in 30 mins and won't be home till after 0:00, so please throw some advise my way!

try sophos https://community.sophos.com/kb/en-us/111374

its usually pretty stable.

 

if that also has same issue nuke it and start over mate. (make sure you have legacy usb enabled in bios if theres an option) so that keyboard n mouse work.

[jnelsoninjax]

9 hours ago, Circaflex said:

I don't quite understand, can you explain this more because they seem to contradict each other.

It loads into Bitdefender, but shortly after it starts the screen goes blank, then it wakes up on the second display with a message about starting, but it never does. I just made a bootable Linux and nuked the one file that I found that seems to be the offender, I'm running a full A/V scan now to see if it is gone.

[jnelsoninjax]

I ended up just nuking windows and reinstalling.

[Mindovermaster Moderator]

1 hour ago, jnelsoninjax said:

I ended up just nuking windows and reinstalling.

The easiest encounter.

[Nick H. Supervisor]

1 hour ago, jnelsoninjax said:

I ended up just nuking windows and reinstalling.

That's a pity, but perhaps for the best. Can I ask what the virus was doing?

[jnelsoninjax]

6 minutes ago, Nick H. said:

That's a pity, but perhaps for the best. Can I ask what the virus was doing?

It was sitting in RAM and after a certain amount of time the Internet would stop working due to security issues.

[+BudMan MVC]

Its the only way to be sure to be honest

 

 

[ITOps]

4 hours ago, jnelsoninjax said:

I ended up just nuking windows and reinstalling.

This is good, sometimes this is the only way and best practice once your compromised anyway as you never know what else is really sitting on your machine.  Did you properly blow away your boot partitions too (MBR, GPT and do a full format to insure everything was wiped)?

[jnelsoninjax]

Just now, ITOps said:

This is good, sometimes this is the only way and best practice once your compromised anyway as you never know what else is really sitting on your machine.  Did you properly blow away your boot partitions too (MBR, GPT and do a full format to insure everything was wiped)?

Of course!

[Brandon H Supervisor]

3 hours ago, jnelsoninjax said:

It was sitting in RAM and after a certain amount of time the Internet would stop working due to security issues.

oh my, it must have messed with the network stack or something.

sounds like a pain, i would have wiped and started fresh too.

[jnelsoninjax]

3 minutes ago, Brandon H said:

oh my, it must have messed with the network stack or something.

sounds like a pain, i would have wiped and started fresh too.

The worst part is I know how and when it got into my system, and I was at work when it happened and my roommate was 'playing around' on my system... I have changed the password!

[ITOps]

54 minutes ago, jnelsoninjax said:

The worst part is I know how and when it got into my system, and I was at work when it happened and my roommate was 'playing around' on my system... I have changed the password!

Yeah, don't let anyone on your box but yourself.  I always smile big when people ask if they can use my computer, I always say no.  It only takes a few minutes for a non owner to wreck havoc and jack your box up beyond repair.

[jnelsoninjax]

14 minutes ago, ITOps said:

Yeah, don't let anyone on your box but yourself.  I always smile big when people ask if they can use my computer, I always say no.  It only takes a few minutes for a non owner to wreck havoc and jack your box up beyond repair.

The worst part is he is very computer savy, but his SSD died and he was using my external dock to transfer data off it, and somehow also brought the other little gift...

[ITOps]

1 hour ago, jnelsoninjax said:

The worst part is he is very computer savy, but his SSD died and he was using my external dock to transfer data off it, and somehow also brought the other little gift...

Ouch, well lock your room and insure none of your electronics are accessible by anyone but you.  Best way to keep them out is by physically doing it.  SSD probably isn't dead, but probably has a ransomeware and other goodies on it that keeps it from working properly.