Either a flash virus no scanner can locate or else..

...OS became corrupted of now removed viruses


1.
I wanna start by showing this picture
http://img512.imageshack.us/img512/1889/aktarygg2.th.jpg
who actually are taken in real-time, as it looks right now on my computer
you can see the disk manager and "computer"'s reality's appears different,
do i need to add that "disk managers" reality was the original in both views
before this virus?

I can change that forced one me name "local disk (D)"
through "computer" with just right click "rename" back to my correct names
but disk manager will not count it whatever i do
to me that could look like a hijacking just as well windows interface corruption? :confused

It all started with a trojan i got from a infested keygenerator, alof of scanners credited it with different names, but AVG who killed the remains of it from inside windows/temp folder claim it was "Bagle.ACB", the infested files in the temp folders where named "CAV".tmp

Before the supposed killing i hade scanned all my 4 hard-drives with the Bagle eliminator tool "FindyKill V6.002" (it took 5 hours only)
At least according to its log files it deleted something (attached below) but not everything,
since i was was forced to compensate with both AVG and Malwarebytes Anti malware

(its possibly Malwarebyte eliminated other trojans that started to drop in, check the attached log for analyse) but before i used "FindyKill" no anti virus program could stop the active trojan process and delete any files

This virus started to kill of all my security software's, and it also corrupted a couple of totally unrelated programs
http://img515.imageshack.us/img515/1191/fisen.th.jpg
by corrupting their short cut icons and remove the uninstaller from their folders and it was during the same process it renamed all my hard drives to "local drive"

Now when all alerts are gone i have scanned with the following software to ensure nothing can be leftover

(no thei have not been installed at the same time all of them)

Spybot search and destroy (was destroyed itself during the virus attack)
Avira Anti Virus
Microsoft security essentials
Malwarebytes anti malware
AVG free edition
Kaspersky 30 day trial
Avast anti virus
Windows Defender (was deactivated during virus attack)
Comodo Anti virus
Flash Disinfector (currently fails to start scan, nothing happens, even with admin rights)
F-Secure 30 day trial
CC Cleaner (all possibly temp scrap have been trashed)
Autostart program viewer (no odd start-up processes left!!)

It would be nice is someone could with the help of my logs find any
suspicious flash viruses? that all scanners above would fail to locate :major

If not perhaps this computer is indeed clean, and its my windows 7 installation
that have been corrupted of the virus, and in need a boot F8 repair installation like my buddie seem to suggest
But before i attempt this i wanna be sure no virus is behind this double game
"computer" and "disk manager" now play with me, i prefer to not repair in
unnecessary if it turns out this could have been manually fixed instead?


Is it just me or is this wery odd? :crap
http://content.imagesocket.com/thumbs/mysko8e8.jpg
C:/ appears to have become changed to "read only" by something i have done, or have beem attacked by
i cant save any file to C:/ either i notice now, Houston we have a problem

From where can you manually change this back? is that something
only virus makers can do? or if this was created through some scan lock i have accidentally enabled with some of my 345 scanners i have tested?





2.
I have avoided to deal with this problem for a long time, and note
that if this is a virus also behind this, then that virus is not new!!!
and have been in computer for several months before current bagle/beagle? incident.

Now when i got virus im in need to getting logged into safe mode
but i have never succeeded to do this on windows 7 (first time user)
Its not complicated really, i can launch safe mode so it looks like there will be no problem at first,
...after the reading of the allowed services and i get to the login screen windows appears to
start counting down (doesn't show any seconds though)
til it will go black screen and restart windows
both "Network enabled" and "disabled" safe mode will generate same fail

If i google on this problem i will find people who have similar problems yes....but their problem
is that F8 doesn't respond, it does for me though, my problem starts after

Could this be a virus to? if so its more or less impossible to ever find it unless we get into safe mode first, i cant think of any other logic reason why computer wanna restart itself on the same place
every time, just when im about to enter the safe mode interface

Windows 7 (64-bit) 80 day trial

MS config are still setted to normal start-up

Daemon tools was one of the random programs
on D:/ that got killed by the virus so we don't need
to worry for it lying and interfere, i have not have
energy to reinstall it

Ok here comes some attachments now, of the present and detection history

 

and i guess this hijack is wery involved
in how im not having admin rights over C:/ and all disks have
changed name

http://content.imagesocket.com/thumbs/same_l_r_sig_samurai0e1.jpg

what do i do from here?

 

There was problems, it failed to generate the report, check picture
what's wrong? (yes i checked run as admin)

I and one more person here doesn't understand what the goal is with me driving
this tool, is it to check for active MBR viruses? or is it to repair this corrupted icons? and why C:/ became "read only"

So i wanna still determine if this is info gathering or repairing?

i say still....sine i formatted C:/ yesterday, cause the F8 "repair windows start-up items" failed to recognize a windows installation, that was not
a wery pleasant to conclude, even though i could run windows without problems

 

"Super Anti Spyware" i cant give any log from, it cant complete the scan cause of some temp files inside c:temp that is impossibility to delete by the way,
it slows everything down when windows trying to contact this files in any way possible, not just virus scans...
http://thumbnails24.imagebam.com/10359/b24268103585394.jpg
(yes it actually keeps claiming its 300 items in a tracking cookie....??)
...CC cleaner for instance cant complete its junk cleaner either if C:temp folder are ticked in its scan settings, then it will always stand pending on 29 % until i
press cancel scan, have setted it to start as admin..that doesn't help

this is unusual and new behaviour that made its debute when i got the virus when i started this topic, i could always clean the temp in the past with CC, however remember i have formatted C./ so its highly not likely that the same virus can survive that, and in my opinion i don't have any programs that i always install that could have bringed same virus back, that virus crack i downloaded was deleted by "FindyKill" according to logs..and it was located on C: only, however it was a fake crack that i clicked on from E:/ to start with
then the file in front of my eyes just dissapeared and i guess it was in that moment moved to c:/ reg files

Becides im not 100 % that CAV.(numbers)tmp are virus files? it could be some standard files that windows 7 (64) have introduces?
or what do you think? however what makes them suspicious is that thei cant be deleted as i said, nor can i manually trash all of them..just some
http://thumbnails22.imagebam.com/10359/223381103586214.jpg
..and if you are lucky and manage to enter the temp folder after 5 minutes of trying to search-enter it and claiming im admin, you will see that c:/temp contains all from 74 files to 85 files,
cause i can be inside that folder and see that new
CAV.tmp files with individual numbers are being written live!!!!!!!!!!!!!!!!:yum
and being removed live just as fast, even though no active process appears to be happening on the computer that would generate this and not be pests, well i have some security programs as you know, it would in such case be microsoft security essentials, comodo anti virus or spybots that would use some kind of stealth protection that allays keep checking files?

I have renamed MGTools to 123.com i have setted it to admin start, the only
thing it generate is just "sysinfo.txt" and that is no what you want zipped is it?

Check those other attachments i can generate currently though, and to me it looks like no virus have been found this time either? :confused

 

The question is if we shall hang up on what the temp directory contains if this now is from Comodo, cause i stil have Momodo installed, which would probably mean that new CAV will continue be writen to that folder
no matter if we deleted them with OTL, all i can conclude is that it completed your fix process and rebooted, but CC clean
still get stuck when scanning
(have not scanned with super anti spyware additionally, since CC cleaner cant get past the cav files
and CAV files are still present in the temp directory
check out 10252010 attached and conclude if it did what you desired

Spybot protection was disabled before the scan

Concerning other anti virus software's at the same time i have

Comodo anti virus,
Windows 7's own firewall,
Spybot (not a full anti virus according to me, site protection)
Microsoft security essentials (not a full anti virus according to me,
since it allowed me to click that infected crack without asking, i wanna use it
as a scanner now )
so according to me at least i must not uninstall anything from my list

Concerning MG tools it still doesn't generate what its supposed to generate on C:/ atleast, but i found a new generated folder on E: simply called "Mgtools" containing this whatever it is?
http://img285.imagevenue.com/loc473/th_01983_udda_122_473lo.jpg

So if these CAV files can't do more trouble than just lack of getting erased then that problem is for another thread since there is one other thing that is more prioritated, wanna ask you if i have used any tools that should have fixed my safe-mode issue? we must conclude if this is a virus or not that
restart itself, cause i cant in the long run sit with a OS that never can enter safe-mode, this was the first thing i ever checked after i hade reformatted C:
latest, but it was the same thing :cry
so its nothing i install after time that returns to putt this lock on every time
so a virus that can survive through reformatting, that doesn't sound sober?
obviously the problem whatever it is must be controlled only from C since its probably C that only can launch safe-mode right?

 

Damn one of my posts disappeared? lets retry anyhow

Kaspersky i don't feel so tempted to rescan, cause it will steal additional
7 hours of my life where computer can do nothing else :drool
(i have reformatted computer since this though)
so i may consider running it tonight when im uncouthness, if
it find anything i shout off course, if not the consider it that it didn't find
anything this time either if i don't,

However GMER did find something on C:
first i found results from having Daemon tools installed on D:/
merged into the below report...but then i uninstalled it and rescanned,
daemon tools traces wasn't named at least...and this other traces from C:/ remained, what does it mean?

OTL refused to generate the "extra" report after successfully scanning,
but it was ok to give me OTL.txt, don't know why it act like this but im attaching OTL at least anyhow

 

Beacuse it hade passed 5 days of infection, and i have a rule that have no time to waste more of my life..cause time is off the essence to do something else than just computers
And as i said in an earlier post, we attempted a repair reinstallation since the interface of windows hade been corrupted..but everything looked like the virus was gone..and i think it really was, i think why we do this now is cause of the TMP files in C:/windows shall prove that thei can be deleted to exclude virus right? and those virus types that would be able to restart safemode when trying to enter

Im talking about this lines from attachment

I said "it found something" that means that its up to you to conclude
if those lines are a virus or something else, and since your reply was to uninstall Microsoft security essentials i guess you see this lines as possible traces of this anti virus soft?

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7F 0xD4 0xF2 0x20 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7F 0xD4 0xF2 0x20 ...
Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Configurations\0\HIPS\Policy\20\Rules\2\Allowed@Num 8

I have now uninstalled "Microsoft security essentials" and i scanned with
Comodo and it found those "CAV" and called them infections now
i removed them, but thei have been replaced just as fast, and i cant delete
temp in CC cleaner,
now me must make a stand here magistrate, would Comodo detect its own temp files as a virus? possibly..but on the other hand
its not likely that only Comodo detect this if its indeed a virus,
and then that it cant perm delete this without it return directly
So i guess your advice will be that i uninstall Comodo and see if i can
delete those CAV files with CC cleaner?

My first scan with comodo is attached, this evening i did one more scan
to see if it would refind the same CAV files, but this time i got another result

TrojWare.Win32.Downloader.FakeAlert.ABC@132428097 C:\Users\23 Karat\AppData\Local\Temp\2x_E6s0a.exe.part

that i deleted also, and rescanned with CC cleaner, but it still cant get access to "temp"

Then we also have to decide if it still can be a virus that is behind that i still can't enter safemode, if not i guess i need to start a new thread covering that problem?

Im not sure i could follow the "zip" instructions for Mgtools, but i hope
its correct? its wery odd by the way..that MGtools creats 2 folders with scan results...one C:/Mgtools containing only "sysinfo" etc and a temp folder, but the other results withy "zip" landed in E:Mgtools
i guess there is some logic in it anyway?

 

I couldn't finish it for unknown reason, see the attachment

 

No, the only stuff i regularly backup on C: is firefox profiles, but thats easily done if i need to do something dangerous next? :major

 

I know this thread have passed over standard rule how long a single problem should be handled by a single supporter
but im afraid i don't wanna reinstall now, we rather lock the thread as the alternative?
cause i dont wanna reinstall til you pull all your cards down on the table what your conclusions are :yum
there are some questions that needs to be answered first i think

*If you think those CAV files are virus or scanner files from Comodo?

*Are you suggesting a clean installation to check if i can
log in to safemode in the beginning?

*Are you suggesting a clean installation cause of possible windows corruption that made your scanners to not wright the reports you requested?

*Or if i wanna reinstall for safety's sake..cause we are now in a state were you cannot conclude if i have that special type of virus that OTL and friends searched for?

Otherwise i dont afford to wanna reinstall again cause thats
what i did just 2 weeks ago, cause of a virus that we hade not yet concluded
if it really was a virus, i dont wanna do that again because i dont feel that the computer are affected by anything negative this time, there was not
the possible "CAV" infection that made me wanna reinstall, it was corrupted windows interface cause by another virus at another location

So everything floats excluded that no junk cleaner software can acces those CAV files, and that i still cannot enter safe mode...but the safe mode issue is not new at all,
and i have already concluded that the reboot issue are there from the beginning of a whole new installation of win

 

Yeah but if this is one of those viruses you were afraid of would it be a risk that it can continue to work til my other hard-drives are erased to?

my only problem right now is that i wanna be sure that CAV files are no virus, virus that may have arrived on the new installation with no relation to my previous virus this thread was based on

but it sounds like nobody knows that thei are in here? what is so strange about them is that Comodo when it detect them as virus, it only choose about 10 of the differential CAV+ random numbers, but there are 70 more CAV left in temp folder that are not infected i guess, a virus either have one name that stands out from the rest, and not appearing to hijack just some files from the wery same file tree, but what do i know...perhaps that was indeed real viruses..that differed from them?

So the conclusion is that if its a virus behind the that i have never been able to log into safe mode the normal way on windows 7, your scan packages would have detected it already?
tell me was "ZIP" that i zipped in yesterdays attach,
was it what you requested? have i really completed all your scans successfully as you wanted that would more or less exclude that this can be a "Master Boot Record infection"?
If so, then i should go to software forum and ask why windows 7 refuse to
boot safe mode