Virus attack that disabled smart security

[Guest Chuck]

I had the virus win32.expiro.ai hit my system, even though I was fully up to date on windows and smart security 6.

I am battling cleaning up the system, but does anyone have any guidance they can offer to help eliminate this virus?

I tried the on line security scanner, it would advance most of the way through the scan, then lock up, and stop working. Any other thoughts, tools, or guidance?

[cutting_edgetech 25]

Is Eset detecting it on your system now or is it being detected by another Security Software? I was going to link you to a stand alone cleaning tool from Eset, but I do not see one listed for this on the forum. You may need to contact support. If you purchased Eset in the United States then this is the link https://www.eset.com/us/support/contact/

 

If you don't get an answer from Eset soon I will inform you of some other safe tools that should remove this infection. Try the Eset support link above first.

Edited July 14, 2013 by cutting_edgetech

[cutting_edgetech 25]

Any update on this? Was support able to help you?

[Guest Chuck]

I have had no response from customer service.

My Internet explorer is blocked, so I have to go into safe mode to use it.

I ran the on line scan again, and it stopped at 99% and would not finish.

What's the best way to get the ie back, do I need my win7 disc?

[ceg 0]

Have you tried to install and run Malwarebytes?  I've always heard it can help with an infected machine.  hxxp://www.malwarebytes.org/

[Guest Chuck]

Thankyou for the malware bytes feedback. Yes, I ran it, and it found some of the files, but not all.

I have stopped the spread by reinstalling ESS, but it says I have 63 files it can not fix/delete.

Kind of stuck now.

[siljaline 57]

Please submit a customer care request.

 

[cutting_edgetech 25]

I must tell you before I offer this advice that I have no certifications, and if you decide to try this to remove these infections then you assume the risk of possible damage to your computer. This is a method I have used many times, and have found successful most of the time.  You can also get help for virus removal at the Links below.  Bleeping Computer, and Malwarbytes offer profession help for virus removal.  I normally would leave this up to support, but they do not look like they are going to answer.

 

hxxp://www.bleepingcomputer.com/forums/f/55/spyware-and-malware-removal-guides-and-reading-room/

hxxp://forums.malwarebytes.org/index.php?showforum=7

 

Sometimes the infection will make your computer unusable or not allow you to install security software to remove the infection. Many times you will get BSOD (Blue Screen Of Death), or the computer will reboot before you can install anything to remove the infection. In this case you may have to use a Rescue Disk to remove the infection or remove enough of the infection so that the computer functions good enough to install software like Malwarebytes, Hitman Pro, etc to remove any remaining infection.  If you are unable to install Malwarbytes, and Hitman Pro to remove the infection then follow the direction below to see if that will remove the infection.

 

You will need an internet connection to update the software listed below!

If you have access to another computer then download Kaspersky Rescue disk from this link hxxp://support.kaspersky.com/us/viruses/rescuedisk?level=2

It is an ISO file. You need image burning software to burn this to a disk. If you have Windows 7 then it comes with Windows Image burner. 

 

If you don't have image burning software then you can get Imgburn for free from this link hxxp://www.imgburn.com/

During the installation of imgburn it will probably ask if you want to install a toolbar or some other optional software. This is optional, and make sure to choose not to install this. Usually you have to untick the or choose I do not agree to the optional software.  Software like this is usually bloatware.

 

Ok, put a CD or DVD in your CDR, or DVD burner depending on which you have. Then Double click the ISO file. Choose Burn image to disk. That is the option for most image burning software. If not it should be very similar to that.  After the Disk has completed burning place it in the infected computer's CD, or DVD drive depending on which type of disk you burnt.  You will need to do this while the computer is booting. You will use this disk to boot the computer from.

 

First it will say press  any key to enter menu.. Press any key so you will be taken to menu at this time.

 

Next Choose which language you prefer.

 

Then read the agreement, and press 1 if you agree in order to use the Kaspersky Rescue disk.

 

Then select Kaspersky Rescue Disk Graphic Mode.

 

Then wait until the desktop loads. (Note that this may take a few minutes).

 

It will say database out of date. Select update now.

 

After the update completes make sure that the following boxes are selected: Disk boot sectors, Hidden Startup Objects, C:/ . Note that if your operating system is installed on a partition other than C then select that partition.

 

Then select Start Objects Scan

 

This may take a long time so find something to do for a while

 

Then Select remove for anything found unless you recognize something you know to be safe. 

 

It may have to reboot again to remove the infections so allow it to reboot.

 

Now remove the disk, and boot as you normally would. You can also leave the disk in. Just don't press any keys when it says press any key to enter menu. It will boot as it normally would as long as you do not press any keys.

 

Now see if it will allow you to install Malwarbytes which you can download here

 

After the installation is complete select update to make sure Malwarebytes signatures are up to date. Now select perform full scan.  The scan will take a while to complete so find something to do for a while

 

After the scan has completed select remove for any threats found.

 

Ok, now hopefully we are close to having all threats removed. With a little luck they have all been removed.

Now download Hitman Pro from here

Select 32 bit or 64 bit depending on which version of Windows you have. If you are not sure then hold down the Windows key, and the pause break key at the same time. It will bring up a Window with information about you computer. Look at System type to see if it says 32bit, or 64 bit. If this does not work then right click on computer, and then select properties. The same Window will appear with information about your computer.

 

I do not remember each step for installing Hitman Pro. I believe it gives you an option to use a portable version or to install it to your machine. You can use either one you like. Just follow the prompts. Now conduct a scan. It does not take long to complete so don't go anywhere. After the scan has completed select remove for anything it finds unless you know it to be safe. Hopefully you are virus free now. If not then you will need to try to contact support again. Bleeping computer, and Malwarebytes forum offer professional advise for removing hard to remove threats. There are other tools that can be used to remove these threats, but I can not coach you on how to use them because if used improperly they can make your system unusable. I suggest you make a backup of your computer using imaging software once you get your computer infection free.

 

I hope I have helped!

Mike

 

Edited: due to many portions of my post not appearing.

Edited July 15, 2013 by cutting_edgetech

[Guest Chuck]

Submitted request 24 hours ago, no response. I assume because of the weekend.

[cutting_edgetech 25]

Please submit a customer care request.

 

I gave him that link already. He said it would not work for him.  I did not think anyone was going to respond to the thread so I responded.  You must have responded while I was typing the post. I normally would not touch this topic, but he was stuck without anyone else to help.  Try contacting customer support again. Report back if you are unable to get though.

[siljaline 57]

Apologies on duplication of customer care request link.
Suggest topic move to https://forum.eset.com/forum/30-malware-finding-and-cleaning/ 
It should get more attention there. Noting that it is or was the weekend. 

 

 

Please submit a customer care request.

 

I gave him that link already. He said it would not work for him.  I did not think anyone was going to respond to the thread so I responded.  You must have responded while I was typing the post. I normally would not touch this topic, but he was stuck without anyone else to help.  Try contacting customer support again. Report back if you are unable to get though.

 

[Marcos 5,070]

It is important to know whether the files infected with the virus were detected or not, whether cleaning failed or succeeded but files became unusable after the cleaning. A malware infection shouldn't cause the scanner to stop scanning, perhaps it was scanning a large file and after a few minutes it would continue scanning other files.

[cutting_edgetech 25]

Was support able to help you remove the infections?

[Guest Chuck]

Support, has been in touch with me, and we have exchanged some ideas. At the moment, they are stuck and researching.

The virus was originally identified as win32/expiro.NBF.

After some cleaning, I was able to eliminate everything except a win64/expiro.a

I have seen many viruses, and fixed many myself, but this one is different. It attacks and makes itself part of .exe files, then replicates and goes after more. I have knocked out over 700 infections so far, but got stuck with the 63.

With the on line scanner, I literally left it alone for 8 hours at the 99% complete state. It never moved, and never finished. It did the same thing the second time I tried to run it.

I tried other on line scanners, but they would hardly touch the problem. I hate to say it, but this virus may have beat eset, this would be the first one I have seen do this.

[BellaBoo 5]

woah!

[Janus 210]

Hello chuck.

 

Would you be so kind to update this thread, when you and eset has come to a conclusion. I am really interested in hearing what has been found. Would really appreciate it. Had an infection on one of my machines, which I often uses to play with. The malware you described, had a behavior that reminds very much of what you seeing. It ended up with, that I reformatted the whole disk.( that was the only solution at that time)Just for the record, Eset were not installed, but is was another Av vendor. So that is why I am interested in what is found, or will be found.

 

Regards, Janus

[BellaBoo 5]

c'est une préoccupation pour ESET, non?

[BellaBoo 5]

oh désolé, s'il vous plaît pardonnez-moi

 

sorry!  i should have written: is this a concern for eset?

Edited July 17, 2013 by BellaBoo

[Guest Chuck]

Well, another day, and still no response from ESET.

I have sent details about this situation to both and IT professional and a technician who does this type of work for a living.

Both were very surprised about the details, and the possibility of .exe programs being rewritten.

Hopefully ESET has some advice soon, or I will have to take other steps up to, and including the nuclear option.

[ajay.k 0]

Dear Chuck,

 

can you please try the below link and revert with results.

 

download.avg.com/filedir/util/avgrem/avg_remover_expiro.exe

Edited July 24, 2013 by dwomack
Please do not post links to exe files

[Marcos 5,070]

Please email the following stuff to ESET as per the instructions here:

- Detected threats log

- SysInspector log

- examples of files infected with Expiro that cannot be cleaned.

[TomFace 539]

Hello chuck.

 

Would you be so kind to update this thread, when you and eset has come to a conclusion. I am really interested in hearing what has been found. Would really appreciate it. Had an infection on one of my machines, which I often uses to play with. The malware you described, had a behavior that reminds very much of what you seeing. It ended up with, that I reformatted the whole disk.( that was the only solution at that time)Just for the record, Eset were not installed, but is was another Av vendor. So that is why I am interested in what is found, or will be found.

 

Regards, Janus

Yes chuck, please keep us posted. My interest certainly has been piqued.

 

Sincerely,

[Guest Chuck]

Well, have a message from eset, they want to set up an appointment and try to resolve the issue.

Marcos, I am unable to get to the logs as you suggested. ESS has been disabled again, and this time it will not even let me uninstall/ reinstall the software. I have notice that Microsoft security essentials were being disabled, and .net is altered.

This is the strangest infection I have ever seen.

[SweX 871]

Well, have a message from eset, they want to set up an appointment and try to resolve the issue.

Marcos, I am unable to get to the logs as you suggested. ESS has been disabled again, and this time it will not even let me uninstall/ reinstall the software. I have notice that Microsoft security essentials were being disabled, and .net is altered.

This is the strangest infection I have ever seen.

As bad as it is, and as bad as it sounds, it's also very interesting to follow and in the end find out what it actually is that we're dealing with here. Keep us posted and good luck!!!

[Guest JamesR]

Cleaning for Expiro.a and all new variants is in ESET VSDB 8687. If ESET is not functioning properly, the use of the ESET Online Scanner to clean the infection. You may need to run the online scan from Safe Mode with Networking.