online scan to get rid of "packed.generic.200"?

[Kando]

I am looking for an online virus scan that will scan the C drive when the computer is running off a Linux live cd. It has to be free and is should remove any viruses found without having to purchase a full version.

I went to Eset, Trendmicro and Bitdefender, the first two needed to download and install something but could not since I was using the live cd. Bitdefender was able to run but did not find the virus.

I am trying to get rid of Packed.Generic.200, I followed the instructions from the Symantec site but they did not work. Malwarebytes was able to be downloaded but will not install. Spybot S & D was installed but will not run. Ad-aware Anniversary edition ran but did not find it. I am already geared up to do a reinstallation from scratch (client can not find the cd's) but wanted to give it one more try.

Thanks

[evilfantasy]

I am looking for an online virus scan that will scan the C drive when the computer is running off a Linux live cd. It has to be free and is should remove any viruses found without having to purchase a full version.

There is no gurantee, even with the paid versions that they can detect and remove everything they find.

Packed.Generic.200 is the name assigned to this virus by Symantec. Other companies will have a different name for it like Packed.Win32.Tdss.f [Kaspersky Lab] or Rootkit.Win32.TDSS [Ikarus].

What this is is a rootkit. Unless you know how to physically find and completely remove a rootkit then I suggest you let me help.

* Download  The Avenger by Swandog46
* Unzip/extract it to a folder on your desktop.
* Double click on avenger.exe to run The Avenger.
* Click OK
* Make sure that the box next to Scan for rootkits has a mark in it and that the box next to Automatically disable any rootkits found does not have a mark in it.
* Click the Execute button.
* You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
* Click Yes.
* You will now be asked First step completed ... The Avenger has been successfully set up to run on next boot. Reboot now?
* Click Yes
* Your PC will now be rebooted.
* After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at
%systemdrive%avenger.txt (typically C:avenger.txt).
* Please post the Avenger log in your next reply.

[Kando]

Hi, posting from different computer.

The log was created and says that there is no rootkit found.

I know it is there, is there a step that is to be done after this?

[evilfantasy]

Yes we can keep looking.

Is the infected computer hooked up to the Internet?

Do you have the file location that the Packed.Generic.200 was found at?

[Kando]

I ran Norton 360 again to get the address:

"globalroot\systemroot\system32\uacnmsfijuybienyic.dll"

I can hook it up, but will the infection jump to other computers? I am working in a school right now with 200+ computers.

[evilfantasy]

It won't spread as long as you don't transfer any files from the infected computer to another clean computer.

Please do this.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:
* Important! The letters can appear in either upper case or lower case letters.

- UACd.sys <- Or anything beginning with UAC
- TDSSserv.sys <- Or anything beginning with TDSS

* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now restart the computer.
* Let me know if you found them or not.

----------

Hook the computer up with Internet access and then download and run ComboFix and post the log. This scan will take about 10 minutes, maybe a little longer.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Kando]

I checked the device manager and did not find the files you mentioned. Would a search with wildcards find those files?

I downloaded Combofix to the desktop and closed all browsers, disabled anti-virus and firewall. When I try to start it up, nothing happens. I checked task manager but did not see anything that looked like Combofix. I tried to start again with task manager open and still nothing happened.

Could this be like trying to open Malwarebytes? It would show up in task manager for a fast 1/2 second and then disappear without starting.

[evilfantasy]

Launch Task Manager by pressing Ctrl + Alt + Delete

End Process on these file names (if found)

- FindStr
- Vfind
- SED
- GREP
- or any file that has the extension *.cfexe

End each only once. 

Now run ComboFix like this.

Close all other browser windows.
 
Go to Start > Run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

Press Enter and Combofix should begin to run.
 
When finished, it will produce a log file located at C:\ComboFix.txt
 
Post the contents of that log in your next reply.

[Kando]

Still no love. None of the processes were in task manager, typed in what you said and hit enter. The run window comes up, I click on "run" and nothing happened.

All of the browsers are closed, task manager is closed, the account is part of the administrative group but the program will not start.

Looks like this is a reinstallation waiting to happen.

[evilfantasy]

Have you tried running it in Safe Mode?

[evilfantasy]

Also that wasn't a complete file path.

globalroot\systemroot\system32\uacnmsfijuybienyic.dll

Is the first part C:\globalroot\systemroot\system32\uacnmsfijuybienyic.dll

[Kando]

I did not try it in safe mode, I will try that. The address is what was in the error window from Norton 360.

[evilfantasy]

Let me know. I'm not out of tricks yet

[Kando]

Booted into safe mode, checked task manager and they are still not there. Tried what you said and Combofix still will not start.

What other tricks do you have? I am not sure that this is worth it, I was able to save the files and pictures and the owner is resolved to having everything reinstalled.

[evilfantasy]

Download OTMoveIt3 by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
UACd

:reg

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules]

:files
\\?\globalroot\systemroot\system32\uacnmsfijuybienyic.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.