HJT did work

Please see previous post "Will HJT work" which describes the problems with the computer.
Here is the HJT log below.
Sorry if I am adding this in the incorrect place, I'm not sure how to add to previous posts.
Thank you in anticipation of your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:34 PM, on 1/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\docume~1\matt9\locals~1\temp\fmf .exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\08483.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\1AE81.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\2A4A4.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\32866.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\38EC6.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\4E594.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\53B49.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\60E28.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\649CD.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\71E6C.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\771DB.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\7DE91.exe.exe
C:\Documents and Settings\matt9\Start Menu\Programs\Startup\zipdkg32.exe
c:\docume~1\matt9\locals~1\temp\fmf .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\matt9\Desktop\winlogon.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anaesthesia.uwa.edu.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: C:\WINDOWS\system32\ognpxo.dll - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\ognpxo.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinDrives] C:\WINDOWS\WinDrives.EXE
O4 - HKCU\..\Run: [hsa8ffushf83hoigjhs98jgijg9sd8e] C:\DOCUME~1\matt9\LOCALS~1\Temp\wuupnz.exe
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\matt9\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [autofmtxp.exe] C:\DOCUME~1\matt9\LOCALS~1\Temp\autofmtxp.exe
O4 - HKCU\..\Run: [YVIBBBHA8C] c:\docume~1\matt9\locals~1\temp\fmf .exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 08483.exe.exe
O4 - Startup: 0AE66.exe.exe
O4 - Startup: 15001.exe.exe
O4 - Startup: 170CC.exe.exe
O4 - Startup: 1AE81.exe.exe
O4 - Startup: 1B706.exe.exe
O4 - Startup: 2A4A4.exe.exe
O4 - Startup: 30346.exe.exe
O4 - Startup: 32866.exe.exe
O4 - Startup: 38EC6.exe.exe
O4 - Startup: 46E4D.exe.exe
O4 - Startup: 4E594.exe.exe
O4 - Startup: 53B49.exe.exe
O4 - Startup: 57252.exe.exe
O4 - Startup: 60E28.exe.exe
O4 - Startup: 649CD.exe.exe
O4 - Startup: 71E6C.exe.exe
O4 - Startup: 771DB.exe.exe
O4 - Startup: 7DE91.exe.exe
O4 - Startup: 7F000.exe.exe
O4 - Startup: 824C8.exe.exe
O4 - Startup: 93A5D.exe.exe
O4 - Startup: 9742C.exe.exe
O4 - Startup: B0FBD.exe.exe
O4 - Startup: B5AD5.exe.exe
O4 - Startup: C5ECA.exe.exe
O4 - Startup: E42A1.exe.exe
O4 - Startup: E94A8.exe.exe
O4 - Startup: kill.bat
O4 - Startup: mel.bat075402 PM.bat
O4 - Startup: mel.bat281725 PM.bat
O4 - Startup: mel.bat483046 PM.bat
O4 - Startup: mel.bat494942 PM.bat
O4 - Startup: mel.bat591355 PM.bat
O4 - Startup: mel.bat591357 PM.bat
O4 - Startup: zipdkg32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154524186845
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7173962C-9BD4-4730-8BCC-8D499E454DBB}: NameServer = 203.161.127.1,203.153.224.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{7173962C-9BD4-4730-8BCC-8D499E454DBB}: NameServer = 203.161.127.1,203.153.224.42
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O20 - AppInit_DLLs: app_dll.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: jsg9dgjisdogje94guiofjgd - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\ognpxo.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 7993 bytes

Hello Alan117 and Welcome to GeekPolice Malware removal forum.

My nick is Net_Surfer and I will be helping you with your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

I would also like to inform you that most of us here at GeekPolice offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!


Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. Gmer, DDS, ComboFix, RSIT and hijackthis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.[/b]

1. Please Read All Instructions Carefully and perform the steps fully and in the order they are written.
   
   
2. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
   
   
3. Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
   
   
4. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
   
   
5. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
   
   
6. Please continue to review my answers until I tell you that your machine is clean and free of malware. (Absence of symptoms does not mean that everything is clear.
   

Just because you can't see a problem doesn't mean it isn't there.

If you can do these things, everything should go smoothly.

OK. Alan117.......If you have a Vista computer ensure that you right click on the tools and run them as an Admin. IF XP double click on the program to run them.

Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Please carefully follow the next set of steps:

If you can not download and run the following tools, then I would like for you to try another approach:

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer.

* exeHelper by Raktor.

step1. Please download: exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

step2.* After running exeHelper ("without rebooting") download and run Rkill, ComboFix after the reboot of combofix run Malwarebyte's, Please follow this instructions:

We need to use the RKill Tool by Grinler

Rkill.com <--- Download site

• Please Download Rkill.com. Save it to your Desktop.
  
• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  
  
• NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
  
  
• Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  
• Please be patient while the program looks for various malware programs and ends them.
• When it has finished, the black window will automatically close and you can continue with the next step.

NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Rogue programs when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

*If the tool does not run from any of the links, Please tell me about it.

Step 3.Download and run ComboFix Tool by sUBs

**Note: In the event you already have old versions of Combofix I need you to delete them, right click on the combofix icon on your desktop and delete it. This is a new version that I need you to download. It is important that it is saved directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  
• For Internet Explorer:
  o Choose to save, not open the file
  o When prompted - save the file to your desktop, and rename it to CFscan with .exe extension on the end.

Please download Combofix from any of the links below but rename it to CFscan before saving it to your desktop.
Link 1
Link 2

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Step 4. Please insert your flash drive and all usb-drives before running Combofix

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

• Close any open browsers.
  WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  
• The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  
• Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

• If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  
  NOTE: If you have Windows XP: Combofix may ask you to install the Recovery Console, please allow it to do so.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
*** When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review.***

A word of advise if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read the: Combofix's "Disclaimer".

Malwarebytes' Anti-Malware

step6.* Please download: Malwarebytes' Anti-Malware
Note: If you already have Malwarebytes' Anti-Malware, just update first then run it.

• Double Click mbam-setup.exe to install the application.
  
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform a Full system Scan", then click Scan (the scan may take some time to finish, so please be patient).
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and Paste the entire report in your next reply .
  

Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Summary of the logs I will need in your next reply:

• ExeHelper log.
  
• Rkill log.
  
• The ComboFix log.
  
• MBAM log.

How are things your end Alan117?

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic. [b][i]Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer


Last edited by Net_Surfer on 1st April 2010, 12:33 pm; edited 2 times in total (Reason for editing : Re-worded the isntructions)

Hi Net_Surfer
Thank you for your offer of help.

I have followed the steps you advised, but have failed with the CFscan (Combofix) as explained below.


The Combofix was downloaded from the link you provided.

I started the CFscan but after about 5minutes I received and Error box message (as printed here):
!!Alert!! Not safe to continue.
The contents of the Combo Fix package has been compromised.
Please download a fresh copy from:
http//www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: You may be infected with a file patching virus ‘Virut’

When I clicked the “OK” box the CFscan shortcut that was on my desktop disappeared.


Net-Surfer, while I was doing all the steps you advised (exeHelper; Rkill) my computer was not connected to the modem/ router.

After receiving the above message about the compromised ComboFix (but having successfully completed the exeHelper and Rkill) I plugged my computer into the modem. Within a minute or so I noticed on my desktop shortcuts to “porn tube” etc they just appeared.
I did not even click on Internet Explorer. I have “shift deleted” these three shortcuts.

Then I repeated the ExeHelper and Rkill steps, once again the CFscan failed.
So at this stage I cannot safely connect my computer to the modem/router without it misbehaving.


Summary:
All tools downloaded on another computer and trasfered to the infected computer desktop using a flash drive. Flash drive left inserted into the USB port.
Step1. ExeHelper: done
Step2. RKill: done
Step3. Combofix (CFscan): Not complete, failed
Step4 . Malwarebytes: Not attempted.


Here are the contents of the exehelperlog as you requested:

exeHelper by Raktor
Build 20100329
Run at 14:13:06 on 04/02/10
Now searching...
Checking for numerical processes...
Killed numerical process 21397
Killed numerical process 32866
Killed numerical process 57252
Killed numerical process 99372
Killed numerical process 99538
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\fonts\services.exe
Deleting file C:\WINDOWS\system32\reader_s.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100329
Run at 14:39:18 on 04/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Hello again Alan117,

I am afraid that I have bad news for you!

Please read and take a note:

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

• miekiemoes' Blog on Virut.
  
• Virut and other File infectors - Throwing in the Towel?
  

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do
  

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Where to draw the line? When to recommend a format and reinstall?
  

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...

This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well.

I'm sorry..


Best regards
Net_Surfer

Hi Net-Surfer
OK, I think I am getting over the initial shock!

I do not have too much stuff on the computer that is terribly important.
So if I back up the few important things then what?

I have the original WinXP CD (it only has service pack 2 on it)

So I leave my computer physically disconnected from the modem / router.
Shut it down, and then I’m not sure what to do to reformat and reinstall windows.

Do I have to enter the setup when it is rebooting?
Is there then an option to reformat the hard drive?

There is a lot of info on the net but which is the best site for instructions in you opinion?

Thanks again

Hello again Alan117,

Glad to hear that you want to reformat.

I do not have too much stuff on the computer that is terribly important.
So if I back up the few important things then what?

I have the original WinXP CD (it only has service pack 2 on it)

So I leave my computer physically disconnected from the modem / router.
Shut it down, and then I’m not sure what to do to reformat and reinstall windows.

Do I have to enter the setup when it is rebooting?
Is there then an option to reformat the hard drive?

There is a lot of info on the net but which is the best site for instructions in you opinion?

Your computer should certainly be reformatted (the full disk, entirely) and a reinstall of the operating system is the best plan, the compromised system can never be trusted with private data. A rootkit infection is the worst kind of compromise. The "root" directory has been invaded by some unknown user(s) who can access anything from that system as it is. But to be absoƖute certain that no other malicious code exists elsewhere on the disk (even raw sectors), a full and complete reformat should be performed.

That's my $.02 worth...if it were my system I would go with the reformat/reinstall route.

===
In this situation I would say that's probably a wise decision. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action to take.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best sources of information on this are:

Reformatting Windows XP
Michael Stevens Tech

You can also go see Leo's reformat tutorial by clicking the following link:

http://ask-leo.com/how_do_i_reformat_and_reinstall_windows.html?awt_l=5dMt3&awt_m=1eeIHSUbvZdfbL

***************************************************

2 guidelines when backing up:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions

• .exe
  
• .scr
  
• .htm
  
• .html
  
• .xml
  
• .zip
  
• .rar
  

This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Before you reformat, download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

***************************************************

Here is a check list of items that you will need for a reformat.


1 - Backup Your Data
Copy all your data to a separate drive, CD, DVD, etc.
It may be a good idea to check the files that you backup with an online scanner, you don't want to be reinfected.
http://www.kaspersky.com/virusscanner

2 - Back Up Your Drivers
Particularly important if your computer was not delivered with driver CDs

Driver Genius Pro finds updates and backs up your drivers into an exe installer - very simple to re-install
Or there's the free DriverMax from http://www.innovative-sol.com

3 - Download Programs, Installers, and Updates
Make sure you have all the programs you will need to re-install such as an Antivirus, a Firewall, and, if not included on the installation disk, Microsoft's Service Pack 2 for Windows XP.
Take note of all the product keys and serial numbers. These may be on boxes, CDs, or in emails.

4 - Make Sure You Can Get Back Online
Check that you have modem drivers, set up instructions, and log-in details.

5 - Boot From The Windows CD and Install
Physically disconnect your internet cable between the computer and the modem/router
If your computer isn't set to boot from CD, look for the option to enter the BIOS setup during startup - usually Del, F1 or F2
In the BIOS, look for the option to change the order of boot devices
Select the CD drive as the first option
Save and exit

6 - Reload Drivers
Once the Windows installation is complete, re-load the drivers you save in 2 above

7 - Install Security Programs
Install your Antivirus, Firewall, and other security programs

8 - Install Any Microsoft Updates
Reconnect your computer to the internet and go to the Microsoft Updates site: http://update.microsoft.com/microsoftupdate
Download and install any required updates

9 - Install Any Programs
Finally, install any programs you need to run

If you have any questions, don't hesitate to ask.
===========================================

And how do I prevent this from happening again?

Credit to Quietman7 for compiling the below information
Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe and secure on the Internet.
  
• Your Guide To Staying Safe Online.
  
• Hardening Windows Security - Part 1 & Part 2.
  
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
  
• The Antivirus Defense-in-Depth Guide.
  
• Use Task Manager to close pop-up messages to safely exit malware attacks.
  

• Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

• Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and [url=More: http://news.cnet.com/8301-1009_3-10021715-83.html]malicious Flash ads[/url] that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

• P2P Software User Advisories
  
• Risks of File-Sharing Technology
  

• Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• What security risks are associated with USB drives?.
  
• USB-Based Malware Attacks.
  
• When is AUTORUN.INF really an AUTORUN.INF?.
  

Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:

• Bleeping Computer's Freeware Replacements For Common Commercial Apps
  
• Bleeping Computer's List of Virus & Malware Resources
  

***************************************************

Hope that helps.

Good Luck!

Best regards
Net_Surfer

Well done and dusted, I hope.
I have installed a “fresh copy of Windows XP” without repairing.
The whole exercise took a long time!
Anyway its up and running now.

A scan with AVG free 9 showed no virus.

A scan with Malwarebytes' Anti-Malware 1.45 Produced this:

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
Scan type: Quick scan
Objects scanned: 112103
Time elapsed: 13 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0


Your help has been invaluable, however if you could bear a few more questions I would be very grateful.
1. Prior to reformatting I transferred some files to a new external hard drive. I scanned this drive via a USB port at a clean computer using “Sophos” anti virus. It came up clean. So the question is does that mean that the virus is not there, is it possible for Sophos to miss that kind of virus?
2. When I reinstalled Windows deleted the existing partition, then made a new partition and then installed. Ok so my question is what about the “partition” of hard drive where there was no Windows XP. When you read the blue screen setup it seems as if it deletes windows from where it was located on the hard drive, then reformats that area of hard drive, then reinstalls.
So what about the rest of the disc does that get reformatted as well, or to be totally obsessive about the whole exercise should one in theory after backup go to my computer, right click disc C, then format. After that then go and do the whole reinstall windows thing?
3. Do you need scan reports of Hijack this, DDS and GMER or any others.
4. Should I run ComboFix if there are no problems?
Can running ComboFix “just in case” cause any problems?

About 7 years ago I decided for fun I would like to assemble a desktop computer, so I read books and magazines for a year or so, I had no home internet.
Anyway this computer is about 6years old now, so perhaps it's time to think of doing the project again.

May I ask, what study (course / degree) you did in order to do this sort of advisory work in this forum, and how do you get to be a technical advisor on this web site?
I am very grateful for your excellent technical advice and altruistic nature!
Kind Regards

Your help has been invaluable, however if you could bear a few more questions I would be very grateful.
1. Prior to reformatting I transferred some files to a new external hard drive. I scanned this drive via a USB port at a clean computer using “Sophos” anti virus. It came up clean. So the question is does that mean that the virus is not there, is it possible for Sophos to miss that kind of virus?
2. When I reinstalled Windows deleted the existing partition, then made a new partition and then installed. Ok so my question is what about the “partition” of hard drive where there was no Windows XP. When you read the blue screen setup it seems as if it deletes windows from where it was located on the hard drive, then reformats that area of hard drive, then reinstalls.
So what about the rest of the disc does that get reformatted as well, or to be totally obsessive about the whole exercise should one in theory after backup go to my computer, right click disc C, then format. After that then go and do the whole reinstall windows thing?

Hello again Alan117,

Okay, here it goes, it took me a bit because I wanted it to be informative and simple to understand (hopefully it is)
1> I would recommend using an online scan. Yes, a virus can be hiding embedded in one of the files. Usually an AV would catch that, but you need to have the latest definitions files for your antivirus to stay in top of new infections,. see at the bottom of my reply for instructions for an online scan....

2.1> Depending on the computer manufacturer the hard drive set up can have multiple partitions. One partition contains the manufactures s tools, re-installation utility and the other can be an empty partition. These partitions (most of the time) are not accessible from within windows. It all depends how the manufaturer configured the hard drive. You can delete any partition but you can't delete a
partition called "Unpartitioned space" and its 8 MB in size which is usually created when windows is installed.

2.2> When the main partition is deleted it the partition is now combined with another partition that maybe unpartitioned space. IF there was no other partitions i.e the tools partition that the computer manufacture usually places on a hard drive then format would delete everything in the entire disk. If there was a tool partition then whether it gets deleted and formatted would depends on the step
s contained within the CD. I am pretty sure that a computer manufacturer would make the tool partition be deleted and formatted for the simple reason that sometimes access to those partitions get corrupted and the only way to repair it would be to use the install CD. As far as I know a virus can't hide in that partition because is is hidden.

2.3> You can't for a format on the "C" drive from within windows. There are many files that are locked and protected. The most you can do is make your windows not start up.

2.4> So to answer question 2 yes, the entire disk would be re-formatted, partitions re-created and windows installed.

---

3. Do you need scan reports of Hijack this, DDS and GMER or any others.
4. Should I run ComboFix if there are no problems?
Can running ComboFix “just in case” cause any problems?

I will like you to do two scans look at the bottom of my reply for instructions.

Combofix is a very complex and dangerous tool. It is not a one size fit all tool and it is not automatically removing what needs to be removed by itself. It is like a scalpel in the hands of a surgeon. A surgeon can remove exactly what is need and no more while an untrained person would either cut too much or not enough.

Combofix is powerful enough to be able to render your computer unbootable if used wrongly or to leave your computer infected if you do not know what you are doing. You should NOT use Combofix unless you have been instructed by trained personnel, as they’re capable of doing a surgical cleanup without affecting other components of the Operating System. It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please read >>> Combofix's Disclaimer <<<.

About 7 years ago I decided for fun I would like to assemble a desktop computer, so I read books and magazines for a year or so, I had no home internet.
Anyway this computer is about 6years old now, so perhaps it's time to think of doing the project again.

It all depends how much use you gave to that machine and if it you took good care of it...but the new ones are a lot better and faster!!!.......

May I ask, what study (course / degree) you did in order to do this sort of advisory work in this forum, and how do you get to be a technical advisor on this web site?
I am very grateful for your excellent technical advice and altruistic nature!
let me know if it helps

I took a Malware training at www.bleepingcomputer.com it took me over a year to complete but you learn a few other things not related to malware. You can either join the academy here or at bleepingcomputer to became a malware helper or a tech adviser...

---

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

* Dr Web.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  
• When complete, click Select All, then choose Cure > Move incurable.
  (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  

• Now put a check next to Complete scan to scan all local disks and removable media.
  
• In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  
• When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  
• Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  
• In the top menu, click file and choose save report list.
  
• Save the DrWeb.csv report to your desktop.
  
• Exit Dr.Web Cureit when done.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

==========
* ESET Online Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer.

You can use either Internet Explorer or Mozilla FireFox for this scan.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:
  

• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth Technology
  


• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.
  

With your next post please provide:

* DrWeb.cvs report

*ESET Online Scan report

Kind regards,
Net_Surfer