Ok i just ran thru XP cleaning Procedures

Why did you not finish with Kes?

You were seriously infected. We need to do a few things first:

Now download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\windows\system32\ms.bin 
c:\windows\system32\MSWINSCK.OCX 
c:\windows\system32\4738733.exe 
c:\windows\system32\69564.exe
c:\windows\system32\7290.exe 
c:\windows\system32\d.bin 
c:\windows\system32\msfazmlf.dl
c:\windows\system32\so.bin
c:\windows\system32\PereSvc.exe 
c:\windows\system32\Install.txt 
c:\windows\system32\1666055.exe
C:\WINDOWS\TEMP\xq8i.exe
C:\WINDOWS\system32\w.exe

FCopy::
C:\MGtools\temp\spoolsv.exemg | c:\windows\system32\spoolsv.exe
C:\MGtools\temp\userinit.exemg | c:\windows\system32\userinit.exe
C:\MGtools\temp\explorer.exemg | c:\windows\explorer.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"izqtfu"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"zh5l"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It was too late in the thread with Kestrel13! and it is too late here. The PC is still infected with Virut or was reinfected after a reinstall by installing files that still carried the Virut infection.

Your logs show that your Windows Operating system files have become infected by a Virut infection and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

The safest thing for you to do is backup your personal data immediately since your PC could possibly become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected. Anything you may have already backed up that is an executable type file (things you downloaded to install programs....etc) are most likely infected and will cause you to be reinfected if you reuse these files.

Once you backup, you need to format partitions and reinstall Windows and all other software especially your protection software. Then install all updates for all software. DO NOT reinstall from any executable file backups you made while this PC was infected or you will just be reinstalling the infection.

 

Re: Thanks for trying

These free tools do not provide you any protection. It is actually more important that the first thing you install after Windows is an antivirus, antispyware protection if not included with your antivirust, and a real firewall. See How to Protect yourself from malware!

Also make sure you pay attention to the previous instructions!!!! If you backup any executable files and reuse them, you will restart the infection all over again. And if in the past (like the last time you were here with Kestrel13!) if you had backed up any executables, you are likely just causing yourself to be reinfected after the reinstall. No protection software will completely protect you from yourself.

 

Re: good. this thread is still open

No you did not! You reinstalled the infection or you did not repartition, then format, and reinstall from clean original media.

All of the below files in RED are already infected and these are main system files running all the time which means this will spread to other files. The files in black are the valid file sizes for your Service Pack level.

Code:

============= Finding copies of ctfmon.exe ===================================
"C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\ctfmon.exe" 15360 08/10/2004 04:00 AM 
[B][COLOR=red]"C:\WINDOWS\system32\ctfmon.exe" 34304 08/10/2004 04:00 AM[/COLOR][/B] 
"C:\WINDOWS\system32\dllcache\ctfmon.exe" 15360 08/10/2004 04:00 AM 
============= Finding copies of explorer.exe =================================
[COLOR=red][B]"C:\WINDOWS\explorer.exe" 1051136 08/10/2004 04:00 AM[/B] [/COLOR]
"C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\explorer.exe" 1032192 08/10/2004 04:00 AM 
"C:\WINDOWS\system32\dllcache\explorer.exe" 1032192 08/10/2004 04:00 AM 
 
============= Finding copies of regedit.exe ==================================
[B][COLOR=red]"C:\WINDOWS\regedit.exe" 165376 08/10/2004 04:00 AM[/COLOR] [/B]
"C:\WINDOWS\system32\dllcache\regedit.exe" 146432 08/10/2004 04:00 AM 
 
============= Finding copies of userinit.exe =================================
"C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\userinit.exe" 24576 08/10/2004 04:00 AM 
[B][COLOR=red]"C:\WINDOWS\system32\userinit.exe" 43520 08/10/2004 04:00 AM[/COLOR][/B] 
"C:\WINDOWS\system32\dllcache\userinit.exe" 24576 08/10/2004 04:00 AM 
 

Thus as stated, you are either not performing the reinstall properly, or you are reinstalling from infected backups. DO NOT USE anything that you have from backups. You must reinstall only from your original Windows CD and then do not reinstall anything that you have saved in the past since it is likely infected. You need to use new clean downloads. Also if you have been copying any of your files to other PCs, you have have infected them. If you plugged in an external/removable writeable drives like USB flash drives into this PC, then those removeable drives may also be infected. If this PC is part of a network with drives and file sharing enabled, then other PCs on the network may be infected. Are you getting what I'm driving at??? Virut and other similar PE infectors will spread to everything. And even keeping one infected file around out of 200,000 will allow the infection to spread again to all executable files in a matter of a few days to a week.

 

That looks better. The files are no longer infected. Just make sure that you don't reinstall the infection from any backups now. These newer forms of Virut frequently go undetected by most scanners and they also cannot fix it even if detected. Thus, if you reinfect the PC, you will have to reinstall all over again.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. .
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!