Help Needed Badly - I am going NUTS!

Hi and welcome.

You are badly infected. There may be some backup files that are not infected that we can fall back on, I'll certainly let you know when I've finished reviewing your logs.

Thanks for your patience during this time.
Kes13!

 

What exactly was done to this PC on 3/8/2009 and 3/9/2009 since so many files have this date.

I would prefer to know exactly what has been deleted and why you were deleting them. Did you have proof that the files being deleted were infected? Perhaps the BSODs are due to what has been deleted.

McAfee should be uninstalled. I would like for you to uninstall it and also use the McAfee Consumer Product Removal tool.

So please do the below:

Download the McAfee Consumer Product Removal Tool

Run this > Reboot your machine > and Run it again to get rid of remnants of McAfee.

Now for removing the malware:

Do you know what the below is?
C:\Alvufix.exe


1) If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

2) Please go to Add or Remove programs and uninstall the below softwares:

• Ad-aware 6 Personal <--- outdated
• Java 2 Runtime Environment, SE v1.4.2
• Java 2 Runtime Environment, SE v1.4.2_04

Also please include in the uninstall your copy of Spyware Doctor (if it is a free trial) If it is paid for then obviously leave it alone.

3) Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O15 - Trusted Zone: http://*.mcafee.com <--- because no site should be in your TZ
O20 - AppInit_DLLs: c:\windows\system32\supewago.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

4) Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

 
KILLALL::
 
Fcopy:
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\spoolsv.exe | c:\windows\SYSTEM32\spoolsv.exe
 
File::
c:\windows\SYSTEM32\reader_s.ex_ 
c:\windows\adobe.bat
c:\windows\_id.dat
c:\windows\system32\supewago.dll
 
DirLook::
c:\program files\mal 
 
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.

6) Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).

• C:\WINDOWS\Temp
• C:\Documents and Settings\Alastair\Local Settings\TEMP

7) Now we would advise you to install either Avast! Home Edition or AntiVir Personal Edition (only install one) and run a FULLSCAN to see if anything is detected. Attach a log if anything is found other than in System Volume information which is just System Restore.

8) Now Run Ccleaner!

9) Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

10) Run the new MGTools.exe and attach the MGlogs.zip that it produces.

11) Also attach the log from running ComboFix.

Thanks
Kes

 

I'm sorry to have to bring this bad news, but infections like Vitro, Virut,...etc. can infect every executable file on a PC. They will attack all executable and not just the ones related to the Windows OS. Infections like this are not repairable (at least not at this time) and thus continued scanning will eventually result in a PC becoming totally unusable since the scanners will be deleting required system files along with files for all other programs you have installed.

The safest and most reliable thing to do for infections like this is to just perform a total clean reinstall. I suggest that hard disk partitions be deleted and then recreated. Then formatted followed by the reinstall of Windows and other programs. We don't recommend backing up anything since the files could be carrying the infection (especially anything that is an executable type file) and you will just reinfect a new installation if you restore these backups. However if you really need personally data from this hard disk, the only method I would use would be the below:

• physically remove the hard disk from this PC and slave it into another well protected computer. I recommend having Avast on the other PC since it seems to catch this infection.
• DO NOT RUN ANY PROGRAMS on this infected slave drive while plugged into the other computer.
• Copy only your data files from the infected drive. DO NOT COPY any executable type files.
• The put this infected hard disk back into the original PC and start the reinstall process beginning with the deletion of all partitions.

Also note this infections can spread to shared drives and also writable removable type drives. So if you have a network with shared drives, other computers may be infected. Also if you have plugged a USB flash drive into this PC, the flash drive could now be carrying the infection if any executable type files were on the flash drive. Also any PCs this flash drive has been plugged into could now be infected.

 

You're welcome. If you want to give something a try to see if it can help at all ( and this will be educational too), try making the below CD and giving it a run.

http://freedrweb.com/livecd/?lng=en

Also note becareful with the word "rebuild". A rebuild by our definition, will not work. You will need to completely delete partitions and reinstall from scratch.