Virus Came Back Quickly After Reformat and Reinstall

Welcome to Major Geeks!

Sorry to give you the bad news but you will be reinstalling again since your Windows operating system files, and possibly many others, are infected.

The infection that you have is a Virut infection which can infect ALL executable files. The reason that you are getting reinfected after reinstalling is most likely because you are reinstalling the infection from some items you have backed up while infected. You must not reinstall anything from copies/backups that you have made. You must make sure that you reinstall only from original uninfected media. You must reinstall Windows from an original CD. You must not update it using anything you have previously downloaded. You must perform new downloads after you have reinstalled a clean copy of Windows.

If you have multiple hard disk partitions with files on them, they all need to be deleted since they are all likely to be infected. I saw you had Windows installed on drive D and on the C drive you had backups like below which are ALL infected and are also likely the sources of your infection especially the keygens and cracks.

What I recommend is that you use another clean PC (not one on your network since this infection can spread over networks) to download the below software and burn them to a CD that you can use to reinstall from. If you need to, you can download free programs from links given here: How to Protect yourself from malware!

• antivirus program & any update files
• antispyware blocker
• real birdirection firewall because the Windows firewall is terrible
• also download SUPERAntiSpyware, Malwarebytes, and MGtools from our links in the READ & RUN ME
• new copies of any other software you may need (like FireFox, Opera, Nero....etc) DO NOT USE any copies that you already have unless they came on original CDs from the company who developed the software.

Now to reinstall - do not connect the PC to the internet until suggested. Leave your cable unplugged.

• Then on your infected system, delete the partitions, repartition, format and reinstall Windows from your original Windows CD.
• Install the antivirus, realtime antispyware blocker, and firewall protection and reboot your PC. Do not install anything else.
• After reboot connect the cable to your PC and get your updated for Windows, your antivirus, antispyware, and firewall as necessary. DO NOT install anything else.
• Now make sure you run full scans on your PC with your antivirus and antispyware and make sure everything currently runs okay.
• If all is good continue to install other software you have newly download to the CD.
• Continue to get updates for anything you need and remember not to reinstall anything from old backups and do not install too many things before rebooting and checking to make sure everything is still good. i.e., go slowly with the installations.

 

Cracks and keygens are not false positives. They frequently contain malware and are also illegal. In addition, all forums like ours, have policies about them. See:Warning about Keygens, Cracks, and other Illegal Software

I'm not sure what you have save in this 730 GB of data but if it includes executable type files, it is very possible that they are now infected or soon could be since Virut infections are very contagious. This may well be the reason that your infection already came back after the format and reinstall. If you don't format ALL partitions, infected files remaining on these partitions will reinfect the freshly formatted and reinstalled operating system.

There have been attempted fixes for Virut type infections but they frequently fail and even when they look like they have succeeded, the systems are often left in an unreliable state where more and more problems arise over a period of time due to the damage that the infection may have cause to all software. Newer versions of these infections are very hard to properly diagnose/remove due to the infection actually having a bug in it which makes the signature of the infection impossible to always detect and also to remove the infection from the files that have been infected.

We can attempt to fix your problem but you do have to be aware that due to the nature of this infection, trying to fix it could result in the removal of necessary system files. Thus you PC could potentially become unstable, or worse, unbootable at any point. It is somewhat dependent upon how far/bad the infection has spread and which files are infected. Also there are no backups of the files on your PC that have not been infected. All copies are infected. Also since the infection is impacting files you are downloading (seen when ComboFix noticed it was infected) it makes it harder for us to actually fix your problem since ComboFix actually has some tools we need to help you more easily replace missing files.

I will give you something to try in my next message and we will see from that whether we are able to get anywhere with the cleanup.

 

Okay after looking at your logs, there are quite a few system files that are infected and they cannot be fixed while Windows is running. Do you have your Windows XP SP3 bootable CD? Since you cannot run ComboFix this is one of the only ways that the infected system files could possibly be replaced. The other choice would be if you had a LINUX, Knoppix, ...etc type boot CD that could then be used to get access to your hard disk without Windows running. A third choice could be to put your hard disk into another PC as a slave drive but this could infect the other PC.


All of the below are infected and need to be replace and there could be many others.
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\dllcache\ctfmon.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\dllcache\explorer.exe
D:\WINDOWS\system32\dllcache\lsass.exe
D:\WINDOWS\$NtUninstallKB956572$\services.exe
D:\WINDOWS\system32\dllcache\services.exe
D:\WINDOWS\system32\dllcache\spoolsv.exe
D:\WINDOWS\system32\dllcache\svchost.exe
D:\WINDOWS\system32\userinit.exe
D:\WINDOWS\system32\dllcache\userinit.exe
D:\WINDOWS\system32\dllcache\winlogon.exe
D:\WINDOWS\system32\dllcache\ndis.sys
D:\WINDOWS\system32\drivers\ndis.sys


In addition, the below need to be deleted:
D:\WINDOWS\services.exe
D:\WINDOWS\system32\4.tmp
D:\WINDOWS\system32\6.tmp
D:\WINDOWS\system32\reader_s.exe
D:\WINDOWS\system32\xadmdubw.dll
D:\WINDOWS\Temp\15454.tmp
D:\WINDOWS\Temp\BN1.tmp
D:\WINDOWS\Temp\spi2.tmp
D:\Documents and Settings\Dmitri\Local Settings\Temp\17596.tmp
D:\Documents and Settings\Dmitri\Local Settings\Temp\cmd.execf


I also strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing. Any executable files that you have here should just be deleted since they are most likely infected.

 

You need to be extremely selective on what you backup. The virut infection may have already spread to all drives and all executable files. If you backup even one single infected it file, it can be the catalyst that will reinfect your whole system again after a reinstall.

It may be a false detection for what SUPERAntiSpyware showed in the log; however since it is an executable file, it could be infected with the Virut infection that you have.

You need to backup important personal data before we start trying to remove the infection (which may not be possible) before your PC potentially becomes unbootable.

Do you have your Windows XP SP3 boot CD so that it can be used to boot to the Recovery Console and from which you can start replacing all the infected operating system files?

 

Here is something you can try as a start but this does nothing to repair all of the infected files on your system. It just attemps to remove some of the items that are the part of the source of the infection.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [reader_s] D:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] D:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] D:\Documents and Settings\Dmitri\reader_s.exe
O20 - Winlogon Notify: xadmdubw - D:\WINDOWS\SYSTEM32\xadmdubw.dll
NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
D:\WINDOWS\Temp
D:\Documents and Settings\Dmitri\Local Settings\Temp

Now run Ccleaner to clean out only temp files and nothing else!

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!