Helping a another friend

Dmin11 · Jul 17, 2010

I've been here before.
I've been able to help several friends with the help of "READ & RUN ME FIRST".
And also have had to post for extra help a couple of times as the infections were beyond my limited experience. So depending on who reads this you may recognize my handle.
This time I'm afraid I was a little cocky/careless and didn't follow all the directions to the letter. Please forgive me. Rather than foul things up I'm posting what I have and will re-run anything you may need, or re-do the entire sequence.
The computer in question is an Asus EeePC "Netbook" running Windows XP Home Edition.
First off I didn't change any settings in the "msconfig" option. Since it was running with some options already unchecked I didn't know if it was necessary to start them up if they hadn't been running already. Secondly, like a "newbie" I forgot to run CCleaner. And thirdly I evidently ran a "portable" version of SuperAnti-spyware and didn't obtain a log. But, SuperAnti-Spyware did clean out a number of infections. Other than those mistakes....duhhh, I have everything else normaly required.
Upon completion of the operations I ran Malwarebytes Anti-malware again to check if there were any infections still on the computer. Since I had already noticed a notation in one of the logs stating it was unable to remove one of the infections I thought there might still be a problem. When Malwarebytes showed 16 infections and froze in the middle of the second scan, I knew there was going to be a big problem. That's when I knew I'd be checking in with you here.
Unfortunately I had several things delay me getting to posting this until today. Since the fellow I'm helping hasn't used his computer since April, (it took him that long to get it to me), I figured an extra week wouldn't make much difference.
As always, "Thanks in advance" for all your help. I look forward to working through your instructions and learning a little more once again.

Regards,
Dmin11

chaslang · Jul 17, 2010

I'm sorry to give you the bad news but you will have to do a total clean reinstall.

Your logs show that your Windows Operating system files have become infected by a Virut infection and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

The safest thing for you to do is backup your personal data immediately since your PC could possibly become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected. Anything you may have already backed up that is an executable type file (things you downloaded to install programs....etc) are most likely infected and will cause you to be reinfected if you reuse these files.

Once you backup, you need to format partitions and reinstall Windows and all other software especially your protection software. Then install all updates for all software. DO NOT reinstall from any executable file backups you made while this PC was infected or you will just be reinstalling the infection.

NOTE: If you inserted any USB flashdrives or other writeable media into this PC, and the removable drive contain any executable type files, they are all likley infected and the removable drive should be formatted for safety before you plug it into another PC and infect that PC too.

Dmin11 · Jul 17, 2010

Ouch,
Thanks for the info Chaslang. I had already instructed my friend on his less than safe practices . I'll be printing out your reply to show him just how unsafe those practices were.
I guess I can say that fortunately his computer came with a factory re-install partition, which I'll be using to re-install the original set-up. Assuming that's okay to do. He was already prepared to lose all his data so this isn't totally unexpected.
I'm going to see if I can backup his documents and such but, otherwise I understand what you've said and will stay clear of any executable files.
Thanks again for the help. Guess this was one of the "easier" ones....LOL.

Regards,
Dmin11

chaslang · Jul 18, 2010

You're welcome. Make sure your friend reads, understands, and follows the below:

How to Protect yourself from malware!

Dmin11 said: ↑

I guess I can say that fortunately his computer came with a factory re-install partition, which I'll be using to re-install the original set-up. Assuming that's okay to do.
Click to expand...

Should be okay. Just double check the sizes of c:\windows\explorer.exe and c:\windows\system32\userinit.exe ( just two examples ) afterwards to make sure they are valid. What they were in your logs, shows the size is wrong due to the Virut infection.

Dmin11 · Jul 23, 2010

Just getting back to this now Chas. Going to print out everything for him to read. I'll be seeing him this weekend. So far so good. Re-install is complete and I'm checking things now.
Thanks again for all your help....

Regards,
Dmin11

chaslang · Jul 24, 2010

You're welcome. Surf safely.

Log in or Sign up

Helping a another friend

Dmin11 Private E-2

Attached Files:

mbam-log-2010-07-06 (20-26-32).txt

ComboFix.txt

MGlogs.zip

RRLog.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Dmin11 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Dmin11 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member