EMail USPS Virus, + Virus:HTML/Virut.BH, BN

[Brokenstick]

I hope you are able to help.

Source of Infection:
On 01/06/2012 a momentary lapse of not reading an e-mail or the attachment's extension carefully left me with the USS email virus - hidden files, url re-direction and ultimately a corrupt boot record.

What Steps I Have Taken So Far:
Before having the opportunity to learn about Major Geeks, I made an effort to get up and running, discovering a "fake" MBR and getting rid of it with GParted and rewriting the record with BootRec, then running MalwareBytes' and ComboFix. They helped and gave me some hints, and eventually I managed to make progress.

After coming across the thread Email USPS virus - all files hidden, url redirection, I tried to adopt some of the instructions to my situation, i.e., running MalwareBytes again, SuperAntiSpyware, Combofix with the CFscript (modified to fit my particular situation re: KB*.sys), and MGTools

Current Status:
(1) No more redirection
(2) Probably majority of files/directoris are NOT hidden anymore, although taskbar and some desktop items are hidden yet when I try to create another it tells me that one already exists
(3) MGTools will (subsequently) not work and crashes, as do other programs, immediately upon opening
(4) Microsoft Office wants to reconfigure itself, then can't find the key information, etc.
(5) Microsoft Security Essential is now continuously giving me notifications of infection by Virus:HTML/Virut.BH, BN and other variants -- mostly .HTML files, but including .EXE files

Attached are the logs that have been generated over the course of my efforts.

I am running Windows 7 (Enterprise) 64-bit with SP1. I was running Microsoft Security Essentials at the time of infection, which simply disappeared from the face of my computer (and subequently re-installed).

Please consider helping me in any way possible -- direct instruction, reference, referral, etc.

Thank you,

Brokenstick

[TimW]

Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Now see if you can find the items that seemed to be missing?

Now please do this online scan:
eSet Online Scan.

[Brokenstick]

Thank you very much.

I will do those two items right away.

I have an additional question: There are actually two drives in my 'puter configured as RAID 1; does this present any malware removal issues in and of itself?

Again, many thanks!

[Brokenstick]

The "unhide.exe" file seems to have worked.

The results of the eSet Online Scanner are attached.

eSet Online Scanner Log 2012-01-09.txt

[TimW]

What issues are you still having?

[Brokenstick]

Microsoft Office required me to go through the repair and activation process, but works fine so far.

Adobe Acrobat Pro and Windows scanning seem to be an issue, but I am thinking it may just need a driver reinstall.

Not that serious but none of the Win 7 games work (the apps crash on launch). I uninstalled them and then reinstalled them through the control panel, but no luck.

Microsoft Security Essentials continues to "detect" Virus:HTML/Virut.BH. encounters an "error" in trying to disinfect the files; the error is that it can't find the "virus".

[TimW]

Where is MSE finding the virus? Do you have a log?

Your other issues should be addressed in the software forum.

[Brokenstick]

Surprisingly, MSE does NOT have a log!

The infected files initially found were all over the place, and most were successfully disinfected according to MSE (executables and non-executables).

Then they were mainly .html or .htm files in the Adobe directory, and primarily the "Legal" and "Help" files for the various Adobe applications.

The most recent were the .html files in PhoneGap application directories.

[TimW]

You can double check those files by uploading them to Jotti:

Click on the following link and upload the file: Virustotal

[Brokenstick]

Thank you very much for all of your help. I am sure you do not need me to tell you what a tremendous service you provide to the online community.

I am very grateful personally for your help.

[TimW]

You are most welcome. Safe surfing.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0