[Active] Infected with trojan "ACVE"

mrx65 · 22nd June 2009

I am trying a post under this section first so please read to the end to understand why. The main reason for the post is a trojan called "ACVE" (not fully sure about the name as it is hiding very well). It is on another computer. I have googled ACVE, but only found programs that would help if they were on before the virus. This is why I think using another computer may work. I have taken the computer to a computer shop with a very good name where they scanned it and deleted/rebuilt the whole user file (there was too much corruption to save the user). But the virus came back the next day and increases each day. I have software that claims to be able to remove it, but ACVE blocks them from even starting and it also prevents me from searching various parts of the C drive (I have used the hunt and delete method in the past to weaken or remove various programs).

My theory is to remove the infected hard drive from the other computer and connect it to my computer, scan/remove the virus with the software on my computer, and then place it back into the original computer. Wisely, I have seen the possible "side effects" of such an action and figured I should consult someone much wiser than I first. First I don't want the virus to cross over to my computer and secondly it is a main drive and may not "like" or survive being a temporary slave drive. I have an external case that currently houses an external cd drive with a USB connection to my computer. It is designed to connect to internal hardware like a cd drive or hard drive. My computer is running XP and the infected one has XP pro.

My ultimate theory on this is that the maker of the virus may have over looked or is unable to "defend" the virus from this kind of attack. Plus this would give me the ability to safely scan (in theory) several times and check for damage to and hopefully save the confidential files stored on it. I am open to posting a virus thread, but given the strength of the virus' defences I am thinking this the best way and not the easiest to get around them, if it will work.
thanks,
greg

**PeteC** · 22nd June 2009

Welcome to WindowsBBS

The only members competent to advise/assist in this matter are our trained malware analysts - this is not a Hardware issue.

I have moved your thread with title edit to that the Malware & Virus Removal forum for their attention.

**Admin.** · 22nd June 2009

Hi,

Read this post as indicated at the top of this forum & follow the instructions.

mrx65 · 25th June 2009

I appreciate the reply. I thought I had followed the posting instructions. I posted under the other forum first as I know very little about the virus and if a USB connection can be made, it would open up the drive to the programs I have to identify the virus. I don't have the mirror on the infected computer just yet as I was trying to prevent the virus from copying confidential files to the internet. I do have it done for my computer and plan on running it on the infected computer now that I have copied/deleted the confidential files. Do you think the mirror will show what virus it is? All I have to go on is what Malwarebytes claims is there. This is the same program that the computer shop used and said that the virus is gone. I am trying to avoid another trip to the computer shop as we really don't have the money to spend on it right now. The virus is very well defended and some cases it blocks copying them from a stick. Or worse yet, will shut them down if they get too "close" even if run from the stick.
thanks,
greg

**broni** · 26th June 2009

Download the program listed below on good computer, move it to bad computer...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

mrx65 · 28th June 2009

Thanks. I will try this and see what happens. May be a couple of days as I am sick today.
thanks,
greg

**broni** · 28th June 2009

No problem

Get well

mrx65 · 17th July 2009

Thanks. I think I am ready to attack this now. I just wanted to clarify what script blocking is. I have found various things about it on the internet, but still not 100% sure. Does it only include explorer/firefox etc? I'm not 100% sure what is on that computer, but anti virus etc are generally easy enough to turn off. It is the script blocking that has me lost.
thanks,
greg

mrx65 · 17th July 2009

Do I post a copy of the report that it generates here? I read about it on the download site and they recommend it.
thanks,
greg

**broni** · 18th July 2009

I'm glad, you feel better

Just turn your antivirus, and firewall off.
If you use Windows Defender, or/and Spybot, turn them off as well.

Yes, paste Combofix log back here.

mrx65 · 22nd July 2009

Combofix won't start. I turned off the firewall and AVG. I have tried to run it from the USB stick as well. I also tried a "back door" approach, I have Starter installed and selected Combofix to start at startup. Still does not work. Spybot is on, but I can't start it to turn it off after I did an update, so not sure if that is what is blocking it or not. I have had a lot of trouble getting antivirus\spyware to start right away on that computer. AVG and spyware doctor all came back clean when they finally started (it took a few days). I am starting to think that the virus will corrupt scan programs etc before it will let them start. So far, Malwarebytes is the only one to "find" ACVE. I have deleted the file that it says is infected (c:windows\... dllcache\cdaudio.sys). I was able to scan with Spybot, via a right click launch at the file, but it found nothing. There is still something wrong the computer. I have had the power supply replaced within the last month, but the computer continues to restart on its own in a regular pattern. It is a short time that sometimes gets to the desktop, but if you persist it will eventually stay running as long as you want or until you restart it. It is a bit random, but mostly predictable. There is an occasional restart after an hour or 2. It will stay running even at peak capacity, so I am thinking that it's not the power supply. Scan programs or windows explorer when in certain parts of the windows file would set off a restart. This doesn't seem to be the case anymore.
I am starting to reconsider my original approach of connecting the harddrive via a USB to this computer and scanning as a slave drive. I am not sure exactly how to do it, but I do have the equipment (I think) to do it. I have an external case that converts an internal part to an external part. It currently houses an internal cd rom.
thanks,
greg

**broni** · 23rd July 2009

Delete your copy of Combofix, and check my PM to you.