Virut and other viruses, oh my! Logs attached.

Hi. First, thank you so much for this wonderful service you provide. It's amazing that you volunteer your time to help out people with serious computer trouble. I consider myself pretty computer adept but get lost in all of this, so I really appreciate knowing your out there.

My fiance was watching a tv show on a national network online yesterday evening, when all sorts of fake virus alerts came up. When I found him, he had already clicked on a few of them, one of which starting installing software which I aborted and another which tried to remove McAfee. I quickly locked down the computer off of the network and ran a virus scan, which found Mariofev!Mem but was unable to terminate it. I then proceeded to install Avast Home Edition and run it but it didn't find anything.

At that point I removed McAfee and kept the Avast realtime protection up while I started following your malware removal instructions. One or more of the viruses was smart enough to try and stop me, frequently giving me the STOP 0xf4 blue screen of death; so I managed to do most everything in safe mode. Once that problem ceased, I was able to run other programs in normal mode.

I have the sneaking suspicion that the computer still isn't clean. Though it appears to run well, I ran a full Avast scan overnight and came back to the computer reset, with the same windows recovered from a problem message that was happening during the STOP errors.

Thanks so much for your help, I have attached all logs as requested.

Note: I had to slightly deviate from procedure and run a quick scan with SUPERAntiSpyware at first as I was trying to get it to complete before I got the blue screen of death. As you will see, I then ran a complete scan.

 

Re: Virut and other viruses, oh my! Additional Logs attached.

Here are the additional logs. Thanks!

 

Welcome to MajorGeeks!


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix checked, exit HijackThis.



Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.



Also let me know what was telling you that you have a Virut infection?

 

evilfantasy,

Thanks! I ran analyse.exe per your instructions and fixed the BHO.

I also ran mbr per your instructions and here is the log file:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !

SUPERAntiSpyware detected Virut on the quick scan (excerpt):

[Generated 05/16/2010 at 08:54 PM]

Trojan.Agent/Gen-Virut
C:\USERS\DUSTY\APPDATA\LOCAL\WINDOWS SERVER\NTUKVN.DLL

Thanks again,

Ryan

 

Now delete the current mbr.log file from the desktop and then follow the below instructions.

Go to Start > Run then copy and paste the following red text into the Open field then click OK:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file and post the contents of the new mbr.log

 

Thanks, here is the new log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !

 

Hang in there. I'm having to check on a few things for repair options. This is a Dell so our main option for repair may not work and I don't want to turn your computer into a paper weight.

 

Thank you so much! It would make a very expensive brick!

 

Alright. I believe that everything is actually fine. The GMER scans can be tricky but I do believe there is nothing to worry about. The scans did remove a bunch of malware but the other logs in MGtools are clean so it appears the scans did their job.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Excellent! Music to my ears. I'll follow those instructions. I've already loaded up Comodo Firewall and Avast Home so that he'll be all set up and protected like my system is, as well as adding additional programs recommended by you all. Can't tell you how much I appreciate all of your help!

Ryan :wave

 

Those are both very good security tools. Just remember. Nothing is "bulletproof". Common sense rules the day when surfing the net.

Your welcome and safe surfing!