Tuesday, May 27, 2008

Cleaning Out ADVIRS.exe, A Relatively Unknown Virus

At work today, a friend of mine told me that he was unable to start Command Prompt or Task Manager. Any seasoned PC user will immediately recognize these as the symptoms of a possible virus infection. He then admitted that he'd let his brother use his pen drive to copy some stuff off his laptop over the weekend. Bingo!

But now what? We had no idea what virus it was and his updated enterprise edition of McAfee Anti-Virus didn't detect anything ( so much for all that money we pay them! ) and we couldn't run Task Manager to see which suspicious process were running.

Just yesterday, I'd read this article on Slashdot about gaining system privileges in Vista. The comments noted that this was also possible in Windows 2000/XP et al.

I had been planning to try it out and here was a great chance to see if it would work.

Here's the idea: The accessibility utilities, like Magnifier ( C:\WINDOWS\system32\magnify.exe ) and Sticky Keys ( C:\WINDOWS\system32\sethc.exe ) are applications that can be run from the login screen before logging into the computer ( Use Win + U and/or press the Shift key 5 times ). They are started with privileges higher than that of any user, including administrator.

 Starting them after you login will start them with your user account and they'll get those privileges. You must start them from the login screen.

So if you can replace the EXEs with some other application EXE, it would get invoked with those privileges. And what would be the best candidate for such a replacement? Good old Command Prompt ( C:\WINDOWS\system32\cmd.exe ). Once you do this and invoke Magnifier ( or Sticky Keys ), you'd end up starting Command Prompt with system level access. You can now do stuff that even the administrator accounts would not be able to ( I'm yet to discover what these are but the comments on the aforementioned Slashdot article have me convinced that this is indeed the case )

So, to do this, you should :

1. Make a copy of cmd.exe
2. Rename magnify.exe to magnify.exe.bak ( Always backup! )
3. Rename the copy of cmd.exe to magnify.exe

You'll have to do steps 3 pretty quickly because in about 5 odd seconds, Windows realizes that magnify.exe is missing and replaces it! So you could copy the filename and keep it ready and then quickly paste it. It's up to you. The idea is that rename the copy before the original magically reappears.

Back to the anecdote. Once I did this, I then started Magnifier and lo behold! Command Prompt opened up! We could now run tasklist to get a list of running processes and their PIDs. We were luck, my friend immediately spotted two instances of advirs.exe and when we Google'd it, we knew it was the culprit. We used taskkill to end the two processes and then tried running Task Manager and it worked!

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
ADVIRS.exe                  3276 Console                 0      5,992 K
YahooMessenger.exe          4056 Console                 0     15,416 K
JabberMessenger.exe         3560 Console                 0     42,748 K
GoogleToolbarNotifier.exe   4028 Console                 0      1,060 K
ADVIRS.exe                  3652 Console                 0      5,980 K

 We'd redirected the output of tasklist into a text file but when we opened it to see the PID of ADVIRS.EXE, the dumb virus wouldn't let us search for the string 'advirs'! So we searched for 'advi'. Clever, huh?

I then got my friend to install WinPatrol to protect against future autorun programs. We also used it to remove the registry key for running advirs.exe on startup - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advirs

RemoteIT was the only antivirus that turned up in the search results for this virus and specifically claimed to clean it. We didn't try it because we'd already got rid of the problem by then but you could give it a shot, in case you're unlucky enough to get infected!

It does seem a pretty simple thing to get rid of though so maybe this wasn't really required. I think if we'd simply renamed a copy of cmd.exe to something else, it would have bypassed the virus' blocks, so you might want to try that first :D

  EXE name : advirs.exe
Location: c:\windows\system32\advirs.exe
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advirs


Wolfestine said...

If I'm not mistaken, there is this virus, that runs a process NTDETECT.exe that does the same things as this virus. (I have a copy of it with me, if u'd like to check it out on a VM or something) May be this one's just a mutated version ;) That has to be deleted the same way. And most antiviruses (free editions or enterprise ones) are useless. They detect malware only when it's way too late. And then they simply delete the virus without undoing the changes brought about by them. IMO the best way to protect your Windows would be to use a decent registry guard. Although it can be irritating at times, it is lightweight n practical.

Anonymous said...

I took a relatively simpler route of deleting advirs.exe. Rebooted the computer in "Safe Mode with Networking" ( for WinXP). Deleted the virus from system32 folder. Then deleted the advirs entries from registry. Also deleted the virus from USB drive in the safe mode only. Luckily all this worked for me. All the best to you.

Ravindra said...
This comment has been removed by the author.
Anonymous said...

Please see the URL below


This URL helped me out. I was not able to even open my drives, it was giving me "Administrator has blocked this operation" error

Anonymous said...

I also had the same problem. i solved it first by stopping it from start through ccleaner.then i deleted enteries in safe mode of it fromm system32. It was having name advirs.exe.

damini said...

its so useful artical.its so educational tutorial.