[etan92612]

I ran Malwarebytes several times to remove a few rouge anti-virus programs and a virus that made my computer talk constantly. I don't see the rouge pop-ups anymore and the talking has stopped but now I can't get Windows to fully work. When I log on I get the message "an unauthorized change was made to windows..." When I click to learn more, I go to the Genuine Microsoft Software site and it tells me that my computer did not pass genuine validation. I'm sure that the malware has corrupted a file. I don't have anything on the desktop but a blank screen and IE when I click to learn more about the unauthorized change. When I search in Google I'm redirected to advertising sites. What should I do now?

Edited by etan92612, 15 April 2010 - 01:03 AM.

[Advertisements]

Can you download and run the programs in

http://www.geekstogo...uide-t2852.html

and post the logs? (Copy and paste - do not attach)

Ron

[RKinner]

Can you download and run the programs in

http://www.geekstogo...uide-t2852.html

and post the logs? (Copy and paste - do not attach)

Ron

[etan92612]

Thank you for your reply but now I have the problem of not being able to start my computer. I get a message in safe mode "Interactive logon process initialization has failed. Please consult the event log for more details." I need a recovery disk...don't I?

[RKinner]

Which PC do you have? Many of the larger PC makers put a recovery partition on the hard drive. Usually it's F10 or F12 to access during boot.

Supposedly (haven't tested it myself) there is a Vista recovery disk you can download. It won't reinstall your Vista but should let you run basic fixes.

http://neosmart.net/...-disc-download/

If you can get it to work then follow the steps in

http://www.bleepingc...utorial147.html

but instead of Command Prompt choose Startup Repair.

Ron

[etan92612]

That Vista Recovery Disk works. I clicked Startup Repair and it told me Startup Repair could not detect a problem. Then I clicked on System Restore to get to a point where I could use the Start button. I went to Start, All Programs, Accessories, right clicked on Command Prompt, clicked Run as Administrator, typed net start slsvc, closed, then validated Windows at www.microsoft.com/genuine. I cold booted the computer and it did 15 Windows updates. When the computer restarted I got the same message "an unauthorized change was made to windows..." Tried to start in Safe Mode to get the Start button but can't net start slsvc in Safe Mode. The way it is now, I need to F8 on start up to do a system restore every time I turn on the computer then going through the whole routine to validate Microsoft. When I run Malwarebyes it shows tons of infections. What do you suggest?

[RKinner]

Go into Safe Mode with networking and run MalwareBytes then make sure when the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.


If you can, run Combofix as follows:

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Right click on george and Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

If you can get a log from either program or from OTL that would be useful.

Ron

[etan92612]

I ran Malwarebytes in Safe Mode with Networking. When the scan finished I did not reboot. I don't have any of the real time scanners described in http://www.bleepingc...opic114351.html.
The bad news is that when I click on the George icon I get an error box that says:

!!ALERT!! It is NOT SAFE to continue!

The contents of the ComboFix package has been compromised. Please download a fresh copy from:

http://www.bleepingc...to-use-combofix

Note: You may be infected with a file patching virus "Virut"

I've tried downloading a fresh copy but keep getting the same message.

Is reformatting my only option?

[RKinner]

Did you turn off your anti-virus while downloading and running Combofix? If you didn't that would explain the error message. If that was the case, turn it off then download combofix again and this time save it as george2.exe. You do not want it to have virut so even if you think you did turn off the anti-virus, do it again. Uninstall the anti-virus if you have to.

Ron

[etan92612]

I uninstalled Malwarebytes and Spybot then rebooted in Safe Mode with Networking.
Downloaded ComboFix saving it as george2.exe and got the same error message twice.

[RKinner]

Is there no anti-virus like Symantec or McAfee?

Ron

[etan92612]

No. My daughter took it out of the box and started using it for non-internet homework. Then my son got a hold of it. That was the end. It's only 4 months old.

[RKinner]

Most computers come with a 6 months trial of Norton/Symantec or McAfee put on by the maker so look in the Control Panel, Programs and see if you can find one to remove.

If you can burn a CD on another PC you can create a bootable cd which will tell you if it sees virut.

http://www.free-av.c...cue_system.html

This is an .iso file which is used to create a bootable disk. Obviously you know how to do that now.

Once you boot on it, have it run an antivirus scan. If it tells you that you have virut then we have to throw in the towel and wipe the drive and reload.

Ron

[etan92612]

I guess we're done... Every line shows "contains code of the Windows virus w32/virut.gen"

[RKinner]

Afraid so. Not much we can do once virut gets on it. I've seen a few post where people claim they fixed it but I'm not sure I believe them. Virut is a file infector so every time you use a file it get a little piece of virut code added to it. Cleaning a file is not trivial and cleaning a whole PC seems beyond most tools. Your only chance would be to boot off a cd like BartPE and run the two tools that claim to get rid of virut but there is no certainty that you have a version of virut that they can handle.

The good news is that your PC is only 4 months old so reverting back to the way it came from the factory should not be so tragic. Hopefully it either came with disks or has a hidden partition which you access during boot - usually with F12 but it may vary. IF you didn't get disks and it doesn't have a recovery option at boot then contact the manufacturer and ask for the cds or dvd. Usually they will send them for a nominal charge.

Once you reload go immediately to windows update and start downloading all of the patches. Do not go anywhere until you have the full set then go to http://www.avast.com...avast-home.html and get the free avast anti-virus.

I'd also get the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

IF you use a USB drive then you might want to install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

Then get Firefox http://www.mozilla.c...x/personal.html
and make sure you get the AdBlock Plus Add-on.

Don't let the kids install any p2p software such as Limewire, bittorrent or similar. These are prime sources of viruses.

It's also best if you put a password on any administrative logins and create a standard user login for the kids to use. That way it will limit what damage they can cause.

Keep your Java uptodate and remove older versions if it doesn't do it automatically.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

Ron

[etan92612]

Thanks so much for all your time. One last question. Do I need to throw away the USB thumb drive I've been using on that infected computer?