Antivirus 2008, 2009, etc

There are many variants of the AV2008,AV2009, MSAV virus/malware out right now. Most of the removal guides are not very complete - including TrendMicro, Symantec, and many forums.

What I have found, is that most fail to remove the actual driver/rootkit that is running. Although the other portions are removed, and the system may seem to be running "ok", you will become frustrated if you have to install something with Windows Installer, or an msi product. This crapware breaks the windows installer service, and none of the MSKB's will help you in fixing this. You will not be able to re-install any version of installer. The reason: the rootkit locks the registry keys required to reinstall or use windows installer. It also breaks .cmd files from running. It also breaks certain parts of network connectivity within Novell environments; I am not sure about AD, but it probably breaks mapped drives. It will not be removed or even recognized by most A/V products. Including fan boys Spybot, AdAware, SuperAntispyware, ComboFix, BigFix. So you'll have to do some dirty work yourself. It really isn't that difficult or involved, you just have to use some common sense.

You do not need to be in safe-mode to remove this virus, so if you are fixing remotely, you can follow these instructions.

Download and run the latest version of Autoruns from www.sysinternals.com. Make sure to run this as administrator. Hit ESC when it starts scanning. Go to Options and check all three options. "Include Empty Locations" "Verify Code Signatures" "Hide Signed Microsoft Entries". This will create a smaller list of items to sort through, as well as show you items that may be attempting to masquerade as Microsoft.

Assuming you have already performed the initial clean (you can find several forums with detailed instructions, Symantec and Trend both have detailed removal instructions as well.) you will be wanting to pay special attention to the "Drivers" section. You can take the time to google each item if you aren't sure what they are. The driver you are looking for has a random name. In one case, it was zjjzzjjzz.sys. In another, it was swuummni.sys. Basically - if you google the name of the driver, you will likely get ZERO results. This is actually a good thing, since it is likely the driver you need to remove. It may show up as "Cannot find file" in Autoruns. Another way is to go to device manager, show hidden devices, expand out the "Non-Plug and Play Drivers". Some things show up in Autoruns that don't show up here, but so far, this driver DOES show up in device manager.

Once you have identified the driver, download and install the latest version of Unlocker. Open up a cmd prompt (as administrator, of course) cd to program files\unlocker. type: "unlocker c:\windows\system32\drivers\[name of driver].sys"
Hit enter. It may say "No handles found: what action?" In that case, select delete. If it IS locked, then select "delete" and click "unlock all".

Then in device manager, right click on the driver, select "disable". (don't reboot.) Then right click, select uninstall. (don't reboot.) Delete the entry in autoruns.

Reboot.

Verify that the driver no longer exists. (You may want to use GMER to view the file system, if it doesn't show up, then check hidden items only. If it shows up, select it, press kill, then delete. I haven't needed to do this yet.)

The locked registry keys shouldn't be locked anymore, and windows update, and other MSI products should work. If not, the MSKB on MSI Installer - Reinstall should work.

**EDIT**

I work at a hospital, so we get many infected machines. Another virus that showed up today, (didn't know it was a virus at first) was completely ignored by Trend, and by mistake, found that NOD32 had trouble with it too. It recognized it, but was unable to remove it. On the first machine, we got a call that the computer was "unresponsive". Would hang on reboot, and after hard booting, it would hang shortly after login (locally, or network.) So the first one, I did all my normal investigative work - in safe mode, because that was the only way it wouldn't lock up. I didn't see anything out of the norm, and RootkitUnhooker didn't see suspicious behavior, nor did GMER. The key here: I wasn't looking closely enough. I reimaged that machine because I had already wasted enough time. Then two more came up. So I looked closer. And wouldn't you know, under Image Hijacks (Autoruns), explorer.exe was attached to c:\program files\microsoft common\wuauclt.exe. Doh. Then it was simple to just remove the file and kill the registry entry. BUT.... When I plugged the usb key I had used on that machine to my computer back at the office... my computer running NOD32 found "autorun.inf" virus right away. And before I could react, it rebooted and then NOD32 was unable to remove. Manual removal was possible without booting into safe mode, maybe because NOD was at least doing something. But be aware.

--------------------------