Had bad Virut infection, now I keep getting random numbers.exe and other problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KindredWarr, May 6, 2009.

  1. KindredWarr

    KindredWarr Private E-2

    A week ago Monday, I was browsing around the internet and burning off misc. data on to a DVD+R, the disc finished, I was about to walk away, and then weird things were happening to the desktop and I got a pop up saying "your PC is infect do a virus scan" from something that looked like a windows pop up but was clearly a faked website.

    I restart, and I lose sound, my XP visual settings do some research and it looks like I got the Virut virus, I think I cleared it out.. .I hope, but then I keep getting ntos.exe installed (probably along with audio.dll and video.dll) and every now and then I'll see a randomly numbered .exe file in my processes.. like the one that's actually running right now even though I ran every scan that was recommended to me. It seems that after SAS or Malware removes items then reboots, the problems are back, right now my folder options are hidden so I can't change it to see hidden folders and file extensions.

    Also, I keep noticing more and more numbered .tmp files in my C: drive like 1A.tmp 1B.tmp and on.

    Whatever help I can get to finally clear this PC out and use it again properly with out being too nervous to log into certain websites would be a blessing, cause I'm at my wits end here and not sure what else I can do.
     

    Attached Files:

    KindredWarr, May 6, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Nope! You are still infected. I can see many infected Windows system files and there could be many more.

    Since your logs show that your Windows Operating system files have become infected and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

    The safest thing for you to do is backup your personal data immediately since your PC could possible become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected.

    Once you backup, you need to format partitions and reinstall Windows and all other required software. DO NOT reinstall from any executable type files that were backed up recently on this PC or you will just reinfect youself immediately.
     
    chaslang, May 10, 2009
    #2
  3. KindredWarr

    KindredWarr Private E-2

    I was hoping for better news, but I had a feeling it was going to go this way, and would have reformatted already, but I am on a Vaio PC and it only came with a recovery drive that no longer seems to be there.. :cry

    I'm sure I can figure out something, I was given an unused copy of Windows XP Pro, but it's only an upgrade, if this won't go, there's always the Windows 7 RC.

    Thanks for the help guys, and even though the news sucks I do appreciate the help

    btw, is it okay if I post some new logs again after the reinstall just to make sure everything's clean? if so, do you want all the logs from the Run & Read Me First or just certain ones?
     
    Last edited: May 10, 2009
    KindredWarr, May 10, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. We don't like to give the bad news and don't like saying you need to reinstall either but it is really the only reliable option. Attempting a cleaning will leave your PC in an untrustworthy state.

    You cannot do an upgrade because of the infection. It will just infect everything as you try to upgrade. You must format to remove the infection and then start from scratch.

    To get all the proper information, we would need all the logs. However if you just want to get a feeling for whether it looks like the OS files are coming up clean, you can just attach a new log from MGtools. This will not give us a 100% certification but it will let us know if you are back to the same state as right now. A full system scan with an antivirus program needs to be performed after you reinstall.
     
    chaslang, May 11, 2009
    #4
  5. KindredWarr

    KindredWarr Private E-2

    I do realize it's a windows xp upgrade disc, and was ready to just set it aside, but I saw in the booklet that there was a section for "New Installation" which suprised me and got me hopeful. It just gives a quick rundown about a new install, why you'd need to install, bla bla bla. Am I to take it that this only applies to the Full version of XP and is just a blanket statement thrown in the booklet?

    I was kinda hoping I got lucky here... otherwise I'll just be using Windows 7 since Vista or a fresh copy of XP is a bit out of my price range ATM.
     
    KindredWarr, May 11, 2009
    #5
  6. KindredWarr

    KindredWarr Private E-2

    okay, it turns out I could access the system restore drive by hitting f10 during start up... didn't realize that, but it saved me quite a bit of trouble.. I hope.

    I ran the scans again, but for some reason combofix seemed just hang at the prep log screen, I know it takes a while, but it seemed to go on for more then an hour, which didn't seem normal, I think it was quicker before I cleaned the hd's.

    Hopefully everything's all clean, sorry for the slowness of getting this up, it took me a while to go through stuff to back up and I've been a bit busy.
     

    Attached Files:

    KindredWarr, May 13, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is a factory recovery partition not what we call System Restore which is part of Windows.

    Right now your logs look okay but you have NO protection. You need to get properly protected and you need to run a full system scan with an antivirus to make sure it comes up clean. My final instructions below give you a link on getting protected.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, May 16, 2009
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds