• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Malware/Virus loading into system memory AV can not get rid of it

Question

+jnelsoninjax    11,415

Somehow I got a virus in my system and now Kaspersky keeps warning me that it is there, but can not seem to disinfect. I have gone through the running items with a fine tooth comb and can not find anything that is out of place. I have located the file in windows/system32 it is reporting to be a driver or something belonging to Toshiba, since my system is a custom build, I know that I do not have any thing Toshiba in my system. I have tried booting safe mode and deleting the file, but the system has a lock on it and will not give it up. Short of reinstalling the OS, what other choices do I have? Perhaps someone might recommend me a linux distro that I can install on a USB drive to boot to and kill said file?

Here is what the virus is called:

virus.thumb.PNG.b02be595019064a2d307f69a68482241.PNG

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
Nick H.    9,410

Have you tried using Unlocker to delete the file?

Share this post


Link to post
Share on other sites
  • 0
goretsky    1,003

Hello,

 

Have you checked with Kaspersky Lab support?  I believe they have a bootable version of their software you can use to clean threats that cannot be removed from the filesystem while the threat is in memory.

 

Regards,

 

Aryeh Goretsky

 

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
Mando    5,117
4 hours ago, jnelsoninjax said:

Somehow I got a virus in my system and now Kaspersky keeps warning me that it is there, but can not seem to disinfect. I have gone through the running items with a fine tooth comb and can not find anything that is out of place. I have located the file in windows/system32 it is reporting to be a driver or something belonging to Toshiba, since my system is a custom build, I know that I do not have any thing Toshiba in my system. I have tried booting safe mode and deleting the file, but the system has a lock on it and will not give it up. Short of reinstalling the OS, what other choices do I have? Perhaps someone might recommend me a linux distro that I can install on a USB drive to boot to and kill said file?

Here is what the virus is called:

virus.thumb.PNG.b02be595019064a2d307f69a68482241.PNG

mate bin Kapersky ;) and use a real AV, this getting the better of Kapersky only reinforces my personal rating of said platform.

 

That infection is a simple malware auto-run dropper, it aint even virulent enough to be named a "virus" the payload usually arrives as an email attachment.

 

http://download.bitdefender.com/rescue_cd/latest/

 

dowload the iso, make a bootable usb and reboot from it, update defs when the distro comes up and it will clean that as a flat file.

 

if it was me, i would then burn kapersky off the pc with fire and install another vendors offering.

 

personally I rate the following :-

 

1) Webroot Secure Anywhere

2) Nod32

3) Bitdefender Free/paid

4) Windows defender set to allow frequent scans despite having a 3rd party product installed.

 

 

 

 

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415
7 hours ago, Nick H. said:

Have you tried using Unlocker to delete the file?

Yeah, and it can not unlock/delete the file

5 hours ago, goretsky said:

Hello,

 

Have you checked with Kaspersky Lab support?  I believe they have a bootable version of their software you can use to clean threats that cannot be removed from the filesystem while the threat is in memory.

 

Regards,

 

Aryeh Goretsky

 

Thanks for the suggestion, I am going to try that

4 hours ago, Mando said:

mate bin Kapersky ;) and use a real AV, this getting the better of Kapersky only reinforces my personal rating of said platform.

 

That infection is a simple malware auto-run dropper, it aint even virulent enough to be named a "virus" the payload usually arrives as an email attachment.

 

http://download.bitdefender.com/rescue_cd/latest/

 

dowload the iso, make a bootable usb and reboot from it, update defs when the distro comes up and it will clean that as a flat file.

 

if it was me, i would then burn kapersky off the pc with fire and install another vendors offering.

 

personally I rate the following :-

 

1) Webroot Secure Anywhere

2) Nod32

3) Bitdefender Free/paid

4) Windows defender set to allow frequent scans despite having a 3rd party product installed.

Well my sub expires in ~30 days and I have a webroot key that I got from @TEX4S so I am more then likely going to use it.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
Mando    5,117
1 hour ago, jnelsoninjax said:

Yeah, and it can not unlock/delete the file

Thanks for the suggestion, I am going to try that

Well my sub expires in ~30 days and I have a webroot key that I got from @TEX4S so I am more then likely going to use it.

the lock will cease to be an issue if you boot form a linux live anti-v distro.

 

Good lad your PC will feel like a super fast new version, kapersky is way to invasive and system resource hogger.

 

WSR currently is using 7mb of resident ram while im surfing ;) and an install footprint of 3.1mb, that would barely be enough for Kaperskys executable ?

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415

@Mando I tried to create a bootable usb drive using RUFUS and bitdefender iso, the first time I successfully booted to it, but I could not click on the accept of the EULA, I tried putting a wired mouse in the system and I still couldn't check the box. I then attempted to use RUFUS to create the drive using the Kaspsersky image,, it fails about 1/3 of the way in, as dose Kaspersky's own tool. Now when I tried to redo the USB with Bitdefender, it goes all the way to the end, then pops up an error about a file in use by explorer.exe -r. What other choices do I have now? I am leaving for work in 30 mins and won't be home till after 0:00, so please throw some advise my way!

Share this post


Link to post
Share on other sites
  • 0
ITOps    40

You should use another computer to create the boot disk.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,369

^ Very true!!!  A compromised box is not really a clean room ;)

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415

I tried Bitdefender's ISO again (clean system), and I successfully booted to the USB drive, but Bitdefender will not load.

Share this post


Link to post
Share on other sites
  • 0
Circaflex    3,505
30 minutes ago, jnelsoninjax said:

I successfully booted to the USB drive, but Bitdefender will not load.

I don't quite understand, can you explain this more because they seem to contradict each other.

Share this post


Link to post
Share on other sites
  • 0
Mando    5,117
17 hours ago, jnelsoninjax said:

@Mando I tried to create a bootable usb drive using RUFUS and bitdefender iso, the first time I successfully booted to it, but I could not click on the accept of the EULA, I tried putting a wired mouse in the system and I still couldn't check the box. I then attempted to use RUFUS to create the drive using the Kaspsersky image,, it fails about 1/3 of the way in, as dose Kaspersky's own tool. Now when I tried to redo the USB with Bitdefender, it goes all the way to the end, then pops up an error about a file in use by explorer.exe -r. What other choices do I have now? I am leaving for work in 30 mins and won't be home till after 0:00, so please throw some advise my way!

try sophos https://community.sophos.com/kb/en-us/111374

its usually pretty stable.

 

if that also has same issue nuke it and start over mate. (make sure you have legacy usb enabled in bios if theres an option) so that keyboard n mouse work.

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415
9 hours ago, Circaflex said:

I don't quite understand, can you explain this more because they seem to contradict each other.

It loads into Bitdefender, but shortly after it starts the screen goes blank, then it wakes up on the second display with a message about starting, but it never does. I just made a bootable Linux and nuked the one file that I found that seems to be the offender, I'm running a full A/V scan now to see if it is gone.

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415

I ended up just nuking windows and reinstalling.

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
Mindovermaster    1,700
1 hour ago, jnelsoninjax said:

I ended up just nuking windows and reinstalling.

The easiest encounter. :)

Share this post


Link to post
Share on other sites
  • 0
Nick H.    9,410
1 hour ago, jnelsoninjax said:

I ended up just nuking windows and reinstalling.

That's a pity, but perhaps for the best. Can I ask what the virus was doing?

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415
6 minutes ago, Nick H. said:

That's a pity, but perhaps for the best. Can I ask what the virus was doing?

It was sitting in RAM and after a certain amount of time the Internet would stop working due to security issues.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,369

Its the only way to be sure to be honest

 

 

  • Like 1
  • Haha 1

Share this post


Link to post
Share on other sites
  • 0
ITOps    40
4 hours ago, jnelsoninjax said:

I ended up just nuking windows and reinstalling.

This is good, sometimes this is the only way and best practice once your compromised anyway as you never know what else is really sitting on your machine.  Did you properly blow away your boot partitions too (MBR, GPT and do a full format to insure everything was wiped)?

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415
Just now, ITOps said:

This is good, sometimes this is the only way and best practice once your compromised anyway as you never know what else is really sitting on your machine.  Did you properly blow away your boot partitions too (MBR, GPT and do a full format to insure everything was wiped)?

Of course!

Share this post


Link to post
Share on other sites
  • 0
Brandon H    2,636
3 hours ago, jnelsoninjax said:

It was sitting in RAM and after a certain amount of time the Internet would stop working due to security issues.

oh my, it must have messed with the network stack or something.

sounds like a pain, i would have wiped and started fresh too.

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415
3 minutes ago, Brandon H said:

oh my, it must have messed with the network stack or something.

sounds like a pain, i would have wiped and started fresh too.

The worst part is I know how and when it got into my system, and I was at work when it happened and my roommate was 'playing around' on my system... I have changed the password!

Share this post


Link to post
Share on other sites
  • 0
ITOps    40
54 minutes ago, jnelsoninjax said:

The worst part is I know how and when it got into my system, and I was at work when it happened and my roommate was 'playing around' on my system... I have changed the password!

Yeah, don't let anyone on your box but yourself.  I always smile big when people ask if they can use my computer, I always say no.  It only takes a few minutes for a non owner to wreck havoc and jack your box up beyond repair.

Share this post


Link to post
Share on other sites
  • 0
+jnelsoninjax    11,415
14 minutes ago, ITOps said:

Yeah, don't let anyone on your box but yourself.  I always smile big when people ask if they can use my computer, I always say no.  It only takes a few minutes for a non owner to wreck havoc and jack your box up beyond repair.

The worst part is he is very computer savy, but his SSD died and he was using my external dock to transfer data off it, and somehow also brought the other little gift...

Share this post


Link to post
Share on other sites
  • 0
ITOps    40
1 hour ago, jnelsoninjax said:

The worst part is he is very computer savy, but his SSD died and he was using my external dock to transfer data off it, and somehow also brought the other little gift...

Ouch, well lock your room and insure none of your electronics are accessible by anyone but you.  Best way to keep them out is by physically doing it.  SSD probably isn't dead, but probably has a ransomeware and other goodies on it that keeps it from working properly.

Share this post


Link to post
Share on other sites
  • 0
+warwagon    12,714
1 hour ago, ITOps said:

Yeah, don't let anyone on your box but yourself.  I always smile big when people ask if they can use my computer, I always say no.  It only takes a few minutes for a non owner to wreck havoc and jack your box up beyond repair.

Exactly.. there is a particular site I visit, which is a great site for what it's for but their ads suck. The moment you click the in the search box you get crap like this .. then it goes away until the next day you come back and click on the search box.

Capture.JPG

2.JPG

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.