Need help with Win32/Virut please.

[Master_Raul]

I will start out with this: That being said lets move on....

I have looked at the other threads pertaining to this infection and also gone through the read me first sticky and completed all of the required tasks including the Win XP Cleaning Procedure.

(I am trying to clean the system so that when I ghost the drive it does not come back. I ghosted once and it just came back.)

I was unable to run Combo Fix because it kept telling me that the package was corrupted by win 32/Virut. I then tried to run RootRepeal. It will get 3 min into the scan and pop up rr.exe has encountered a prob and needs to close. By running RR on the C: D: G: and I: drives individually I was able to get it to scan. Drive H: Crashed the program. Drive J: Came up with the error "Unrecognized partition type 6 (0x6)!" And would not scan the drive. Drive H: Contains copied Movies, TV Shows and other media. Drive J: is my backup Drive containing Ghost backup images and other backed up files. All of my drives are internal drives. Either IDE or Sata. I am attaching the RRlogs in a rar file with each drives report and the crash log from drive H:. Drive J: did not crash nor have a report to save.

I also went one step further and ran GMER.exe. I am attaching that as well.

I am still having issues with the computer. This Virut is proving difficult to remove. After reading the other threads on it I knew it would be. I still have hope to accomplish my goal of being able to restore my ghost image though.

I have also run the rmvirut.exe several times. I have no idea if it's working but I see little change. It's not getting everything. It did say in the threads I have read about it that it will "eventually" get it all. I'm just wondering when eventually is and how many times I have to run it. I've run it 17 times so far. Hope thats not bad.

I've run Windows Malicious Software Removal Tool as well. It seems to do a better job than rmvirut.exe but it still isnt getting all of it.

I have not run either of these since I started with your cleaning procedures.

If you need more info I will be happy to provide it. The Virus is still there because WMSRT still keeps popping up and so does WinDef. Bit Defender doesn't seem to function anymore.

I don't know how I got this in the first place. This all started on 7-18-09. It seems to have happened when I opened the ports in the router for a new game I installed through Steam. It was Americas Army 3. I have since disabled all port forwarding in the router and reset Zone Alarm Free Firewall so it would no longer allow traffic in or out through previously allowed channels. I will have to reconsider how to do this so i can play the game effectively and remain safe from intrusion. If you have tips it would be appreciated. If it helps I have a Linksys BEFW11S4 V2 Wireless Access Point Router w/ 4-port Switch.

[Master_Raul]

The remaining log.

[TimW]

Let's see if we can get you cleaned up.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please use add/remove programs to uninstall:
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please Disable Spybot's TeaTimer

* Run Spybot and click Mode
* Select Advanced Mode.
* Then click Tools and select Resident.
* Now in the right window pane, uncheck TeaTimer.
* Also while this is open, in the left column now select IE Tweaks
* and then in the right pane make sure all the Miscellaneous locks are unchecked.
* Now quit Spybot!

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {25b3bc47-445f-4793-8c4e-234a75639219} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9514BE09-A05E-4078-906E-35350A6569A6} - (no file)

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"pridl"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25b3bc47-445f-4793-8c4e-234a75639219}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9514BE09-A05E-4078-906E-35350A6569A6}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Files to delete:
C:\WINDOWS\system32\11c.tmp
C:\WINDOWS\system32\11d.tmp
C:\WINDOWS\system32\11e.tmp
C:\WINDOWS\system32\18.tmp
C:\WINDOWS\system32\1b.tmp
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\atl71.dll
C:\WINDOWS\system32\b3.tmp
C:\WINDOWS\system32\b4.tmp
C:\WINDOWS\system32\b5.tmp
C:\WINDOWS\Temp\tmp00003e07
C:\WINDOWS\Temp\tmp00002446
C:\WINDOWS\Temp\tmp000055f3
C:\WINDOWS\Temp\TMP00000028D0126CAFCE17949B
C:\WINDOWS\Temp\TMP000000E64EB6B5DF12405169
C:\WINDOWS\Temp\tmp00004d78
C:\WINDOWS\Temp\tmp00006256
C:\WINDOWS\Temp\uac3afb.tmp
C:\WINDOWS\Temp\uac3bb7.tmp
C:\WINDOWS\Temp\uac3c4a.tmp
C:\WINDOWS\Temp\uac3e1e.tmp
C:\WINDOWS\Temp\uac3f76.tmp
C:\WINDOWS\Temp\uac3f95.tmp
C:\WINDOWS\Temp\uac62e8.tmp
C:\WINDOWS\Temp\vrt119.tmp
C:\WINDOWS\Temp\vrt19.tmp
C:\WINDOWS\Temp\vrt1a.tmp
C:\WINDOWS\Temp\vrt4.tmp
C:\WINDOWS\Temp\vrtb.tmp

Folders to delete:
C:\WINDOWS\Temp\tmp00003e07
C:\WINDOWS\Temp\tmp00002446
C:\WINDOWS\Temp\tmp000055f3
C:\WINDOWS\Temp\TMP00000028D0126CAFCE17949B
C:\WINDOWS\Temp\TMP000000E64EB6B5DF12405169
C:\WINDOWS\Temp\tmp00004d78
C:\WINDOWS\Temp\tmp00006256
C:\Documents and Settings\Administrator\Application Data\pridl

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
-
Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!