[fenzodahl512]

Ok.. I assume you still get the cloned hard disk unattached to the computer right?.. Just leave it there.. It will be useful in the worst case scenario...


Lets do this..


Delete Any trace of Dr.Web and ComboFix from the computer...


Please download Dr.Web CureIt to the Desktop:

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, just let it cure whatever it finds...
  
  • Now, go to Settings >> Change Settings
  • Go to Actions tab >> under Objects section, change the settings to beloe
    
    • Infected objects - Cure
      Incurable objects - Report
      Suspicious objects - Report
  • Don't change any other settings
• Start the scan again. This time, choose Complete Scan
• Click the green arrow button at the right, and the scan will start.
• After the scan finished, click Select all
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete)
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your Desktop. The report will be called DrWeb.csv
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

Edited by fenzodahl512, 19 February 2009 - 01:38 AM.

[Advertisements]

Actions taken. VERY small list, only a few files left with Virut on them. We are definately making progress!

I have not yet rebooted computer, and will not until told.

Neil

Attached Files

•  DrWeb.txt   504bytes   136 downloads

[Neil Bradley]

Actions taken. VERY small list, only a few files left with Virut on them. We are definately making progress!

I have not yet rebooted computer, and will not until told.

Neil

Attached Files

•  DrWeb.txt   504bytes   136 downloads

[fenzodahl512]

Let's clean your Restore Points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous Restore Points which are likely to be infected)
To create a new Restore Point.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK. This will flush your old System Restore.
• Then please UNCHECK the Turn off System Restore.
• Click again on Apply, and then click OK. This will create a new Restore Point

System Restore will now be active again



Then please create a fresh Restore Point... Please visit this webpage if you do not know how..




NEXT

Actions taken. VERY small list, only a few files left with Virut on them. We are definately making progress!

I have not yet rebooted computer, and will not until told.

Lets verify it with Kaspersky Online Scanner...


Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
• Click Accept.
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
• In the File name area use KScan, or something similar.
• In Save as type: click the drop arrow and select: Text file [*.txt]
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



And, as usual, still DO NOT reboot the computer

[Neil Bradley]

Two problems.

1) I can not re-enable system restore while in safe mode, according to alert boxes from the computer.
2) I can not access the internet at this time, as I did not boot the computer in safe mode w/networking, just in normal safe mode.

So, I need to reboot computer to complete the desired tasks.

Let me know what you want to do.

Also, a FYI. I am going to be traveling out of town starting Friday mid-morning, returning late on Saturday. So, I will be able to do a few things, and then there will be a slight delay until I return.

Neil

[fenzodahl512]

Ah.. Ok.. Now please reboot into Normal Mode, and do my previous instruction first..

[Neil Bradley]

Rebooted, able to access desktop and internet.

Completed the system restore per your message.

Scanning in progress.

I will post results when I return in about 30 hours.

Neil

[fenzodahl512]

Don't worry.. I'll wait

[Neil Bradley]

I came home to a desktop with no progam running.

I restarted the scan last night. When I went to bed, it had found about 40 files. This morning, there was a Windows Error saying that explorer.exe had failed and was forced to close. I now have a desktop back again, but no scan results.

I was running the scan in Firefox.

Double-clicking on Firefox brings up the box to restore previous/start new. Clicking on restore previous, I get google on one tab and Kaspersky on a 2nd. Clicking on the Kaspersky tab causes the firefox to restart.

Opening up IE, I get a Windows error box: "Windows cannot fund "(null)". Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, then then click Search".

I am now running a Dr.Web scan of the computer again. It found a rootkit in the quick scan - trojan.NtRootKit.2686. It is now in the process of the complete scan. I anticipate this taking about 3-4 hours.

I will post that log when it is through.

Neil

Edited by Neil Bradley, 22 February 2009 - 09:36 AM.

[fenzodahl512]

Wow.. That's a loong process.. I don't know how you can cope with it

Anyhow, Dr.Web found a rootkit and that's is not good.. Will wait for the Dr.Web result to see where is the fullpath of this rootkit..

[Neil Bradley]

Scan finally completed. 462119 files.

Attached is the report.

This computer is not the primary one I use, so it's sitting on a desk near me, where I can keep an eye on it while things are scanning. It is frustrating on how long things are taking, but that's the way it goes.

Neil

Attached Files

•  DrWeb.txt   18.82KB   283 downloads

[fenzodahl512]

Hello... First of all, lets turn off the System Restore as I can see the Virut things is detected from there in System Restore..

Please visit below website if you do not know how...

http://www.pchell.co...emrestore.shtml


Note: BitDefender Online Scan can only be used with Internet Explorer..

Lets do an online scan with BitDefender Online Scanner

• Click on I Agree
• Please install the Add-ons if requested
• Click on Start Scan
• Let it update its virus definition.. It will then automatically scan all your files and folders..
• If infections found, it will attempt to disinfect/delete the infection..
• After the scan finish, click on More Detail >>
• Go to Detected Problems tab and click on Click here to export the scan report
• Save the report as result.html on your Desktop. Copy the whole content of result.html and paste it in Notepad
• Save the result in the Notepad and post the contents here in your next reply

DO NOT reboot the computer yet

Edited by fenzodahl512, 23 February 2009 - 08:03 AM.

[Neil Bradley]

Update.

I could not get bitdefender to run. I beleve we still must have a BHO in there, as IE locks up whenever I try to go to any web page other than the home page.

I reset the home page to the bit-defender link, but it opens a new window to run the scan, and that locks up IE.

I tried the Kaspersky scanner, same thing - it opens a new window.

I am trying to run a scan with the Trendmicro housecall, but it's been running for 36 hours, and at the moment, the screen says it will take 1.5 more days to run. As all the estimate times on that website have been grossly underestimated, I don't think that 1.5 days is realistic.

Can we try something else?

Neil

[fenzodahl512]

Yes.. Delete both ComboFix and also Dr.Web from the computer.. One question.. Do you have any live-bootable CD such as UBCD or Bart-PE?


Not sure if Virut manage to re-infect the computer, so, lets do yet another scan with ComboFix.. as usual, download a fresh copy from below, run it and post the log here...

Link 1
Link 2
Link 3

[Neil Bradley]

When trying to run combofix, either from the desktop or direct from the CD, I get an error: This OS is not supported.

I rebooted into safe mode w/networking, no change.

The below steps are done while in safe mode w/networking.

I ran another scan with malwarebytes, log attached.

I also ran a scan with GMER (from the CD). Log attached.

I have GMER running now, just told it to save log, nothing else.

<><>
I have downloaded and created a bootable CD of UBCD, so I have that available.
<><>

Neil

Attached Files

•  mbam_log_2009_02_24__18_23_16_.txt   896bytes   135 downloads
•  gmer02.24.09.zip   2.75KB   122 downloads

[fenzodahl512]

The below steps are done while in safe mode w/networking.

Please don't reboot in Safe Mode with Networking unless necessary.. The reason is, while the computer is on that mode, it has no protection at all while you're online..

Ok.. I'm not sure how you're gonna do this.. But here's the plan..

Reboot into Normal Mode, Download Dr.Web CureIt to the Desktop, but don't do anything with it yet... We will need it later..


I need you to upload some files.. Tell me whether you successfully upload the file or not.. Please zip it first before sending it to the upload channel..

Please show hidden files and folders

Please visit this site and upload below file.. At the comment section, just say "fenzodahl512 asked to upload the file"

C:\47aaaf6d92c8ebd89214fdb63e98a321.zip
C:\WINDOWS\system32\47aaaf6d92c8ebd89214fdb63e98a321.sys
C:\WINDOWS\System32\dataclen32.dll

Whether you find them or not, then please do below step..




Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Drivers to disable:
47aaaf6d92c8ebd89214fdb63e98a321

Drivers to delete:
47aaaf6d92c8ebd89214fdb63e98a321

Files to delete:
C:\47aaaf6d92c8ebd89214fdb63e98a321.zip
C:\WINDOWS\system32\47aaaf6d92c8ebd89214fdb63e98a321.sys 
C:\WINDOWS\system32\nezogeju.dll
C:\WINDOWS\System32\dataclen32.dll
C:\WINDOWS\System32\sqkmlx.dll
C:\WINDOWS\System32\owekvkop.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your reply.



Post the Avenger log here.. Then reboot your computer with the UBCD boot cd.. After you get into Desktop, run Dr.Web CureIt while you're in UBCD mode.. Do a full scan and set it as usual.. Follow the instruction below if you forget how

Double-click the launch.exe or cureit.exe file and Allow to run the express scan

• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
• Click the green arrow button at the right, and the scan will start.
• After the scan finished, click Select all
• Click on Cure and choose Move incurable
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your Desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

Then post the log here...

Reboot your Computer into Normal Mode, and then run Dr.Web again.. and in full scan again.. We want to make sure no Virut survived after rebooting


Post these logs in your next reply..

1. The Avenger
2. Dr.Web (in UBCD mode)
3. Dr.Web (in Normal Mode)...