Everything posted by rodmann
Quick followup to my last post. I am not out of the woods yet. I discovered that while SAS is running and scanning, the SAS executable file is 'modified'. The initial scan completes because the SAS process is in memory but any attempts to run it again will result in : "Windows cannot access the specified device". There are two workarounds to this: 1) uninstall SAS, manually remove the infected SAS executable left behind and reinstall (although this will allow for only one scan before the infection happens again) -or- 2) After installing SAS, copy the executable to another directory or drive. After the file is modified by the infection during the scan, rename it and then copy the good version into the C:\Program Files\SUPERAntiSpyware directory to perform additional scans. I am assuming the infection corrupts the SAS file vs changing its attributes - if anyone knows more about this please pass it on. Unfortunately the last successful complete scan of SAS did not detect any new infected files even though the executable was modified during execution so I have not eliminated all the sources of the infection. A couple of other things I discovered about this Trojan: 1) Adobe Reader versions before 7.0 are subject to infection. I uninstalled AR 6 and Adobe Audition 1.5 (the Audition executable was flagged as possibily infected when running Sophos, probably because it had no owner after being modified) 2) I'm guessing McAfee scanning fails to run because the scanner executable 'mcods.exe' was modified /corrupted the same way the SAS executable was. I will have to reinstall McAfee. mcods.exe turns up as a suspect file in my Sophos scan.
I have some good news. I'm no longer blocked with SAS. After doing some investigating I learned my virus was likely a rootkit issue. I installed Sophos Anit-Rootkit and ran it. It identified more suspicious executables and hidden files. I had the tool delete the following files: C:\WINDOWS\SYSTEM32\ns5\I40F3TG.exe (also flagged by McAfee as a PUP during Sophos scan) C:\WINDOWS\msa.exe C:\Documents and Settings\All Users\Application Data\gav\wsdt05.exe C:\Program Files\Adobe\Audition 1.5\Audition.exe (when I saw this file I remember Adobe running unexpectedly during web surfing after which I started immediately started getting blasted with the bogus AV apps and b.exe and i.exe which was likely the start of this virus) (Also there was a temporary internet file I deleted related to SuperAntiSpyware which appeared with a  appended to the filename. Since I had already uninstalled SAS I believed this to be a suspicious file and deleted it.) There were other hidden files identified by Sophos including dll's. Not everything Sophos lists is necessarily an infected file or trojan so I stuck with initially deleting only suspicious executables (after doing a google search on each to see if they were associated with known threats) After deleting the files above and rebooting, I was finally able to install SAS and run a new scan uncovered more suspicious files and registry items. McAfee scans are still not working so I have more investigating to do withe the Sophos results but I'm breathing a little easier right now at no longer being blocked running SAS.
I too am seeing this same problem on my infected PC running XP. It started with execution of bogus antivirus sites such as Green AV 2009 and trojan spawned processes such as b.exe, i.exe, gav.exe and mgrdll.exe. I have eliminated these malprograms and have not seen the trojan spawn anything new but the core infection is still there and it appears to affect attempted execution of nealy all major antivirus apps such as McAfee, MalwateBytes, HiJackThis etc that could identify and eliminate the Trojan. In the case of SAS, I ran it initially after I first detected the infection and it detected numerous inected files, registry keys and memory. I thought I had fixed it but after the Trojan spawned processes apperaed to change from b.exe to i.exe, I could no longer run SAS. Uninstalling and reinstalling the program does not work Something in the infection changed permissions on the SAS executable so that it can't be run (and neither can other my other AV apps) In Safe Mode I am able to modify the permissions of the Program Files dirs and start a SAS scan but it dies seconds after execution, almost like a memory leak of some sort. That's where things are now. I have an infected PC with appently no ability of running any AV app including SAS to fix the problem I have been searching the web for answers but most involve running other AV apps which are not working for me. Any help here is appreciated