Impossible to remove virus

[ddeder]

file name is c:\windows\system32\adsmsex.dll

registry key is AB673EBE-E526-4EAA-B4CB-96D5317BBA56

I cannot delete the file or the registry key.
I also cannot take ownership of either object, even in safe mode as an administrator.

Killbox and Unlocker cannot kill the file.

Cannot remove the virus booting from Linux CD.

Over a dozen antivirus products I have tried can detect but cannot remove.

If only Microsoft would create a program that can force delete any file no matter what the permissions....

 

[Deathonastick]

http://forums.spywareinfo.com/...showtopic=108616&st=15


Down near the bottom

 

[ddeder]

That link shows me nothing. There is no solution listed.

 

[Fardringle]

This is the solution posted in that thread that worked for the person that posted it:

I had similar problem in that I had a yellow alert in tray, then a few minutes later I would get a pop about "you system is probably infected.." (the message contained many misspellings)

I tried Smitfraud, combofix, spybot, lavasoft, HJT, NOTHING worked. Here is what I did:

Waited for Pop Up to come up.
Pulled up Task Manager.
Started killing processes until pop disappeared. ("adsmsextw.exe" made the pop disappear, and the yellow alert went away if I moused over it.)
(I then tried to remove the "adsmsextw" entry in HJT, it KEPT COMING BACK!!)
Searched the registry for "adsm*".
Deleted any key with anything that came up. (some were exe, some were dll, The culprit was in a service called "RemoteRegistrySwPrv" just below "Remote Registry". )
Went to services and set the "RemoteRegistrySwPrv" service to 'disabled' ( I left "Remote Registry" alone! That one was legit)
Went to the system32 directory and deleted "adsmsextw.dll".
Went back to HJT and it wasnt there anymore.

THAT DID IT! (it only took me about a week of reading about 456 posts to fix it.) My guess is that it can somehow choose what service it attaches to, since I can't seem to find any postings about 'RemoteRegistrySwPrv" and "Remote Registry" is a legit service. So the registry key and service may be different than my situation.

I hope this can help someone out.

 

[ddeder]

Sorry, This fix did not work for me. It did not work for the original poster either. I tried the SDFIX program and it did not detect the virus.

Thanks for trying.

 

[hennessy1]

have you tried removing the drive and useing it with another system to try and remove the virus that way instead of trying with the system on?

 

[ddeder]

Nope. Can't say that I have. But I think the permissions on the file will still block my removing it even if I move the HD to a new system.

 

[mechBgon]

You might try GMER. Download from http://gmer.net.

In GMER, click here :camera: and then click here :camera:, and you can browse the file system with GMER's own browser and attempt to delete the file that way. If GMER won't run, rename gmer.exe to something else.

Besides those features, GMER is also a rootkit remover, so you can start it and scan for rootkits too.

If necessary, hit the Safe... button to start the system in GMER SAFE MODE, then try again. Also, if you could send a copy of the file to mechbgon originpoint com, I'd be curious to see a copy and send it to antivirus vendors. Any other info on where you think it came from would also be of interest.

 

[ddeder]

Sorry, no luck with GMER.

 

[mechBgon]

If it is possible to modify permissions on the file, try removing all permissions to the file, period, then restart the system. I've seen some instances where this broke the magic forcefield, so to speak.

What's the big picture, is this a customer's computer you're trying to rescue, or your own? What's the name of the malware, according to the antivirus programs?

 

[dclive]

Originally posted by: ddeder
Nope. Can't say that I have. But I think the permissions on the file will still block my removing it even if I move the HD to a new system.

That's not correct. You can quite easily take ownership of whatever you want if you have physical access to the non-booting hard disk. It's only your booting ('system') hard drive that you cannot control unless given appropriate rights.

Move the drive to another system (or boot with a BartPE Boot CD and your favorite antivirus installed on that BartPE boot CD) and remove the infection that way.

 

[ddeder]

You are correct. Thanks Hennessy1 and dclive for that bit of advice. I removed the hard drive, connected it to another PC and was able to delete the file (adsmsex.dll). I have put the hard drive back into the original PC and booted it to Windows to see if the file is recreated - it is not. And my antivirus software has stopped telling me I have a virus.

The registry keys pointing to the file are still there however. When I run Hijackthis, it shows up as a BHO and says (file missing). Hijackthis cannot "fix" this BHO. I'm concerned that somehow, this leftover BHO will recreate the missing file sometime in the future. So my next question is... How can I delete the registry keys? I have tried everything I can to take ownership in safe mode, using regedit and regedt32 as the administator. Nothing works.

 

[ddeder]

I found this in another forum dealing with an unrelated problem:

==========================================================
If the above fails try the following:
Move your harddrive to another computer and boot from that computers hard drive.
Go to regedit
click file and choose load hive (first click on HKLM or HKU)
browse to the location of the registry on your hard drive and load it as hive
now you can browse the registry of your computer without any user rights in the way!
after deleting the keys save it and replace your old file (keep a backup of the old registry).
Move the hard drive back to your housing and walla....
==========================================================

This person is saying I can pull the hard drive again and access the registry from another PC. He says "browse to the location of the registry on your hard drive and load it as hive" . What is the location of my registry??? Anybody know?

 

[dclive]

You can always boot while the drive's attached to the other system - that's fairly simple - see my registry guide for info on how to load another registry (in my .sig) - and correct the problem that way (open the bad registry from the good system, at which time it will be wide open for you to change).

You should also be able to take ownership of the registry key and do what you like, but there may be remnants on the drive still.

Did you have the secondary system do a full scan of the infected hard drive, in addition to simply deleting that one file?

 

[ddeder]

Thanks for the help dclive. I was able to remove the registry keys. I learn something new everyday...

Out of curiosity, do you know if you can share the system32/config file and load and edit the hive from a networked PC?