Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Incurable Files Infected... Cant even log on anymore: LOG INCLUDED


  • Please log in to reply

#16
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Nevermind I had someone else in mind when I typed that,my mistake.

You are still badly infected first though you need to uninstall one of hte 2 antivirus programs yopu haev.
Avg or Avira.

After that unless you are paying for it unistall Spyware Doctor that program is useless unless you pay for it and even then it is mediocre at best.
=====================
After doing that please do the following:
==========
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

First disable your antivirus before running Combofix.
If you keep Avira right click on the icon in the system tray and uncheck Avira guard.
If you keep Avg then Open up avg and double click on Resident Shield.
Uncheck Enable Resident Shield and then click on save at the bottom.


Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

  • 0

Advertisements


#17
chucktaylorfan92

chucktaylorfan92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Combo fix never did open the text file or give me any confirmation that it was done making the log, but i just copied it out of the directory you told me to. Also, it said not to run any programs until it was done, but since it was just rebooting, all the startup programs started running so if the log doesnt look right, tell me. Thank you

Attached Files


  • 0

#18
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ndis.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#19
chucktaylorfan92

chucktaylorfan92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 12:36 on 06/06/2009 by Andy (Administrator - Elevation successful)

========== filefind ==========

Searching for "ndis.sys"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys --a--- 182656 bytes [00:27 29/08/2008] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys --a--- 212480 bytes [12:00 04/08/2004] [17:16 24/05/2009] 1DDCD4F10C093B87A59A0FBA97E8462D

-=End Of File=-
  • 0

#20
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
23fc6e8e
2da799f
Viewpoint Manager Service
uesdiavm

NetSvc::
uesdiavm

Fcopy::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys | C:\WINDOWS\system32\drivers\ndis.sys


File::
C:\Program Files\R94481.EXE
C:\WINDOWS\system32\482063334.dat

Folder::
C:\WINDOWS\system32\121973
C:\Documents and Settings\Andy\DoctorWeb

Dirlook::
C:\Documents and Settings\Andy\Local Settings\Application Data\meikksia
C:\Documents and Settings\Andy\Application Data\meikksia
C:\WINDOWS\system32\config\systemprofile\Application Data\meikksia
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\meikksia
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\meikksia
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\meikksia
C:\WINDOWS\dhcp


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
=============
  • 0

#21
chucktaylorfan92

chucktaylorfan92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
here you go

Attached Files


  • 0

#22
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
================================Malwarebytes' Anti-Malware=================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window. OTListIt.Txt a This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

  • 0

#23
chucktaylorfan92

chucktaylorfan92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Heres the MBAM log, but the OTL scan froze at the same spot!

Malwarebytes' Anti-Malware 1.37
Database version: 2238
Windows 5.1.2600 Service Pack 2

6/6/2009 3:09:14 PM
mbam-log-2009-06-06 (15-09-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207193
Time elapsed: 1 hour(s), 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0010000 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00215f4 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c002a680 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0046609 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007cd3b (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0088884 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c009919 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00d70fe (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\yhafd78auhd.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\prmiewvz.sys.vir (Rootkit.Agent.Z) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\1424688122.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\1504858956.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\1527980266.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\1607682350.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\2101530484.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\2223885128.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\2313227358.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\2428707002.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\255578400.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\2892431656.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\2927867636.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\3034441030.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\3129290.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\342933044.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\3564382914.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\3666425058.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\4187460692.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\486944720.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\583361864.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\691272498.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\739252142.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\765360344.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\868968678.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\Temp\986479572.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f2602b91-4f28-4f1c-9ac3-ff2333ee031a}\RP11\A0002064.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f2602b91-4f28-4f1c-9ac3-ff2333ee031a}\RP14\A0009385.sys (Rootkit.Agent.Z) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f2602b91-4f28-4f1c-9ac3-ff2333ee031a}\RP14\A0009396.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\t1p0_839982848117.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\t1p1_804631239010.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
  • 0

#24
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is strange but let's finish up.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#25
chucktaylorfan92

chucktaylorfan92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, June 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 07, 2009 00:06:06
Records in database: 2320131
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 85643
Threat name: 3
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 02:14:06


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\dncyool64.sys.vir Infected: Trojan.Win32.Agent2.kci 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Beep.SYS.vir Infected: Backdoor.Win32.NewRest.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir Infected: Virus.Win32.Protector.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_Beep_.SYS.zip Infected: Backdoor.Win32.NewRest.z 1
C:\System Volume Information\_restore{F2602B91-4F28-4F1C-9AC3-FF2333EE031A}\RP11\A0001093.SYS Infected: Backdoor.Win32.NewRest.z 1
C:\System Volume Information\_restore{F2602B91-4F28-4F1C-9AC3-FF2333EE031A}\RP14\A0009376.sys Infected: Trojan.Win32.Agent2.kci 1
C:\System Volume Information\_restore{F2602B91-4F28-4F1C-9AC3-FF2333EE031A}\RP14\A0009384.SYS Infected: Backdoor.Win32.NewRest.z 1
C:\System Volume Information\_restore{F2602B91-4F28-4F1C-9AC3-FF2333EE031A}\RP14\A0009397.sys Infected: Virus.Win32.Protector.b 1
C:\System Volume Information\_restore{F2602B91-4F28-4F1C-9AC3-FF2333EE031A}\RP14\A0009398.SYS Infected: Backdoor.Win32.NewRest.z 1
C:\System Volume Information\_restore{F2602B91-4F28-4F1C-9AC3-FF2333EE031A}\RP14\A0009404.SYS Infected: Backdoor.Win32.NewRest.z 1
C:\System Volume Information\_restore{F2602B91-4F28-4F1C-9AC3-FF2333EE031A}\RP14\A0009496.sys Infected: Virus.Win32.Protector.b 1

The selected area was scanned.
  • 0

Advertisements


#26
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
How are things running now?

Also please run dds again and post the dds.txt log only.
  • 0

#27
chucktaylorfan92

chucktaylorfan92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Its better, im pretty sure (its my aunts computer not mine), but i can actually get on the internet with IE now. So compared to the way it was when i started, its WAY better. DDS wont open the text files for some reason. I let it run for about 15 minuets uninterupted when it says it should take but 3 minuets. I try again and post it if it works. I would donate to you for your help, but... i dont have that much money considering the fact that im 16 years old, haha. Thank you so much! your a genius.
  • 0

#28
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You don't have to donate we are here to help.

Try this one then:

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • 0

#29
chucktaylorfan92

chucktaylorfan92

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
......

Attached Files

  • Attached File  info.txt   28KB   194 downloads
  • Attached File  log.txt   26.37KB   81 downloads

  • 0

#30
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Has anything happened in between fixes because you are right back infected again.
This time you have Virut and it is incureable.

:) VIRUT :)

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
https://forums2.syma...age/ba-p/388834
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.c...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

What this means is we cannot proceed with any sort of fix as your legitimate files have already been corrupted and this action is, unfortunately, irreversible. I apologize but there is nothing else I can do or advise to completely clear your machine. You must reformat your pc to rid yourself of this deadly virus.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP