AntivirusGT

[Li'l Abner]

A new strain... http://showcase.netins.net/web/mewnlite/GT.jpg .
Or maybe just a new name for the SOS.
Those are camera shots since I can't even get to paint or anything else for
a screenshot. Can't run task manager at all in Safe Mode but desktop icons
come up. Trying to run *anything* brings up the iSnake thing. That includes
Task Manager, Windows Explorer, My Computer, msconfig, regedit or anything
else I've tried (including Paint, of course).
In Normal mode the non-Genuine notice comes up, desktop background shows up
but no icons. Right clicking the desktop does nothing. Control-Alt-Delete
brings up the iSnake thing the first couple of times but eventually lets me
into Task Manager. AntivirusGT.exe is running and allows me to kill it.
Then I tried to run explorer to get the icons back on the desktop and that
was blocked by the iSnake thing again, which also started AntivirusGT.exe
running again. It's XP Pro SP3.
This one is going to be fun. I'm cloning the drive right now and pondering
about a plan of attack.
I may be back asking for help... :-)

--
--- Everybody has a right to my opinion. ---

[siljaline]

Li'l Abner wrote:
>A new strain... http://showcase.netins.net/web/mewnlite/GT.jpg .
> Or maybe just a new name for the SOS.
> Those are camera shots since I can't even get to paint or anything else for
> a screenshot. Can't run task manager at all in Safe Mode but desktop icons
> come up. Trying to run *anything* brings up the iSnake thing. That includes
> Task Manager, Windows Explorer, My Computer, msconfig, regedit or anything
> else I've tried (including Paint, of course).
> In Normal mode the non-Genuine notice comes up, desktop background shows up
> but no icons. Right clicking the desktop does nothing. Control-Alt-Delete
> brings up the iSnake thing the first couple of times but eventually lets me
> into Task Manager. AntivirusGT.exe is running and allows me to kill it.
> Then I tried to run explorer to get the icons back on the desktop and that
> was blocked by the iSnake thing again, which also started AntivirusGT.exe
> running again. It's XP Pro SP3.
> This one is going to be fun. I'm cloning the drive right now and pondering
> about a plan of attack.
> I may be back asking for help... :-)

Removal Guide, here >

(http://www.bleepingcomputer.com/viru...ve-antivirusgt)

Good luck !

Silj


--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[siljaline]

Beware of the PC Tools Banner ad, for those that use a Hosts file, this may not show.
The MVPS Hosts file blocks this banner ad - Bleeping have been asked to remove it,
they have not.

Silj


--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Chief Scratchum]

"siljaline" <spam@uce.gov> wrote in news:i8e2ch$ima$1@news.eternal-
september.org:

> Li'l Abner wrote:
>>A new strain... http://showcase.netins.net/web/mewnlite/GT.jpg .
>> Or maybe just a new name for the SOS.
>> Those are camera shots since I can't even get to paint or anything
> else for
>> a screenshot. Can't run task manager at all in Safe Mode but desktop
> icons
>> come up. Trying to run *anything* brings up the iSnake thing. That
> includes
>> Task Manager, Windows Explorer, My Computer, msconfig, regedit or
> anything
>> else I've tried (including Paint, of course).
>> In Normal mode the non-Genuine notice comes up, desktop background
> shows up
>> but no icons. Right clicking the desktop does nothing.
> Control-Alt-Delete
>> brings up the iSnake thing the first couple of times but eventually
> lets me
>> into Task Manager. AntivirusGT.exe is running and allows me to kill
> it.
>> Then I tried to run explorer to get the icons back on the desktop and
> that
>> was blocked by the iSnake thing again, which also started
> AntivirusGT.exe
>> running again. It's XP Pro SP3.
>> This one is going to be fun. I'm cloning the drive right now and
> pondering
>> about a plan of attack.
>> I may be back asking for help... :-)
>
> Removal Guide, here >
>
> (http://www.bleepingcomputer.com/viru...ve-antivirusgt)
>
> Good luck !
>
> Silj

It has been quite a trip. I tried logging into Safe Mode as Administrator
and was successful in opening the task manager and ran regedit from there.
I searched for AntivirusGT.exe and found it in two places, one of which had
"Command" in the line. I deleted those entries, of course. I was then able
to update and run MBAM which found several instances. Upon reboot, I
*thought* things looked good and ran Superantispyware which found a bunch
more. Just when I thought I had it licked, it came back at me with a
vengeance. I should mention that this computer had Microsoft Security
Essentials installed on it. But shortly every time I tried to run anything,
an MSE alert popped up. It said Microsoft Security Essentials right in the
title bar. The message was something about an unknown trojan and had a
couple of buttons, one of which was "remove" which I didn't, of course
because by that time I'd figured out that it was a fake alert. Then it was
back to Safe Mode and MBAM again. This time it found a bunch of a different
rogue, AntivirusIS. Stuff kept coming back with a vengeance so I finally
ran ComboFix. It found an infected bootsector, then rootkit activity which
it rebooted for and then ran its course. The report listed Rootkit
Whistler. After I closed the report there was wallpaper with no icons
again. I ran ComboFix again and it still found the infected bootsector. I
finally ran the recovery console (which ComboFix installed and did a
fixmbr. Since then I uninstalled Microsoft Security Essentials, installed
Avira, and did a full scan It found 19 items, most of which sounded pretty
nasty. I have just now turned the recovery console off and have rebooted
and an preparing to turn it back on. Avira, which had detected the bad boot
sector does not see it anymore, Early in the game I not only cloned the
drive, but used Hiren's Mini-XP to transfer all of their pictures and
documents to a portable USB drive. But right now everything is looking
pretty kewl. The browsers are going to where they're supposed to. I'm going
to bed. I'll leave it on all night and I'm betting it'll still be OK in the
morning.
Thanks for steering me!

[Li'l Abner]

Chief Scratchum <scratchum@howmail.net> wrote in
news:Xns9E081DCC0D375cheeseflakes@wefb973cbe498:

> "siljaline" <spam@uce.gov> wrote in news:i8e2ch$ima$1@news.eternal-
> september.org:
>
>> Li'l Abner wrote:
>>>A new strain... http://showcase.netins.net/web/mewnlite/GT.jpg .
>>> Or maybe just a new name for the SOS.
>>> Those are camera shots since I can't even get to paint or anything
>> else for
>>> a screenshot. Can't run task manager at all in Safe Mode but desktop
>> icons
>>> come up. Trying to run *anything* brings up the iSnake thing. That
>> includes
>>> Task Manager, Windows Explorer, My Computer, msconfig, regedit or
>> anything
>>> else I've tried (including Paint, of course).
>>> In Normal mode the non-Genuine notice comes up, desktop background
>> shows up
>>> but no icons. Right clicking the desktop does nothing.
>> Control-Alt-Delete
>>> brings up the iSnake thing the first couple of times but eventually
>> lets me
>>> into Task Manager. AntivirusGT.exe is running and allows me to kill
>> it.
>>> Then I tried to run explorer to get the icons back on the desktop
>>> and
>> that
>>> was blocked by the iSnake thing again, which also started
>> AntivirusGT.exe
>>> running again. It's XP Pro SP3.
>>> This one is going to be fun. I'm cloning the drive right now and
>> pondering
>>> about a plan of attack.
>>> I may be back asking for help... :-)
>>
>> Removal Guide, here >
>>
>> (http://www.bleepingcomputer.com/viru...ve-antivirusgt)
>>
>> Good luck !
>>
>> Silj
>
> It has been quite a trip. I tried logging into Safe Mode as
> Administrator and was successful in opening the task manager and ran
> regedit from there. I searched for AntivirusGT.exe and found it in two
> places, one of which had "Command" in the line. I deleted those
> entries, of course. I was then able to update and run MBAM which found
> several instances. Upon reboot, I *thought* things looked good and ran
> Superantispyware which found a bunch more. Just when I thought I had
> it licked, it came back at me with a vengeance. I should mention that
> this computer had Microsoft Security Essentials installed on it. But
> shortly every time I tried to run anything, an MSE alert popped up. It
> said Microsoft Security Essentials right in the title bar. The message
> was something about an unknown trojan and had a couple of buttons, one
> of which was "remove" which I didn't, of course because by that time
> I'd figured out that it was a fake alert. Then it was back to Safe
> Mode and MBAM again. This time it found a bunch of a different rogue,
> AntivirusIS. Stuff kept coming back with a vengeance so I finally ran
> ComboFix. It found an infected bootsector, then rootkit activity which
> it rebooted for and then ran its course. The report listed Rootkit
> Whistler. After I closed the report there was wallpaper with no icons
> again. I ran ComboFix again and it still found the infected
> bootsector. I finally ran the recovery console (which ComboFix
> installed and did a fixmbr. Since then I uninstalled Microsoft
> Security Essentials, installed Avira, and did a full scan It found 19
> items, most of which sounded pretty nasty. I have just now turned the
> recovery console off and have rebooted and an preparing to turn it
> back on. Avira, which had detected the bad boot sector does not see it
> anymore, Early in the game I not only cloned the drive, but used
> Hiren's Mini-XP to transfer all of their pictures and documents to a
> portable USB drive. But right now everything is looking pretty kewl.
> The browsers are going to where they're supposed to. I'm going to bed.
> I'll leave it on all night and I'm betting it'll still be OK in the
> morning.
> Thanks for steering me!

Sorry about the Chief Scratchum thing. It was getting late.... :-)

--
--- Everybody has a right to my opinion. ---