8 steps completed, here's my logs

[nb1106]

Oh ya forgot to mention internet didn't work after I ran that cmd script you had me run. The wireless and local are both there in safe mode networking but won't run. Also still having trouble with the installer being gone. Can't remove SAS still. I'm getting a couple errors at start up. Including the following:

Application Error: The instruction of "0x00620664" referenced memory at "0x00620664". The memory could not be "written".
Click OK to terminate the program. Click CANCEL to debug the program.

Wireless Configuration: Notification dll has not been registered, program will not work correctly.

Running the script now. Will post back with 2 logs in a little bit.

 

[nb1106]

The logs.....

 

[mflynn]

The ComboFix script did not work.

Delete the CFScript.txt from your Desktop. Then do it again as I have added another command!

BUT this time do it in Safe Mode!

Boot back to normal mode and do the below to try and fix the Internet.

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.

@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.txt
:: Saves ip settings
netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
::saves log of current settings
netsh winsock reset catalog
::resets Winsock
netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
:: winsock after rest
netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
:: reset TCP stack
netsh dump >"%USERPROFILE%"\Desktop\netshout.txt
exit
exit

Reboot see new icons on desktop, paste contents of lsp, netshout and tcp.txt back to thread.

Mike

 

[nb1106]

Here's the logs. Still no net.

Edit: I'm trying to post the combo logs but it won't let me. Says their already posted in the thread. Tried renaming them but would not work. Let me know how to do that if you need me to. Although looks like the script went good this time.

 

[mflynn]

Open it and Paste it into the thread. I need to see it!

Mike

 

[nb1106]

That ok?...

 

[mflynn]

That works!

Nope did not go but ComboFix is not executing the script.

Rename combofix.exe to 12cbf34.exe. Then do the CFScript again drag onto 12cbf34.

Additionally do the below next

Open MBAM click More tools - Run Tool and paste each line in the box below into File name: and click open to delete, then the next etc

Here are the files to be deleted

C:\WINDOWS\_id.dat
C:\WINDOWS\system32\tmpxccacj0.exe
C:\WINDOWS\exedidak.dll
C:\WINDOWS\system32\grcrt2.exe
C:\koma.exe
C:\ytprjxsv.exe
C:\dykhyp.exe
C:\flirxnj.exe
C:\cwxwwgtl.exe
C:\WINDOWS\system32\CbaHRXyb.ini2
C:\WINDOWS\system32\byXRHabC.dll.vir

Reboot!

Then Run 12cbf34 and post me the log.

Mike

 

[nb1106]

When I try to open the files to delete them it says file does not exist would you like to create it? I said no, I looked at all the locations of the files and they are in fact not there anymore and they were yesterday when I looked. Here are the logs though.

 

[mflynn]

Yeah they were there a couple hours ago on the other Combofix logs but they are gone now!

Now it seems we are getting somewhere!

Just in case the uncovered more update and run MBAM and SAS again Quick scan. Attach logs.

Mike

EDIT: Look here and run (in Safe Mode) Norman and one or more of the others if you want!
https://www.techspot.com/vb/post724044-3.html

 

[nb1106]

Can't update, still want me to run? Still no net. Their used to be a 3rd connection that was always connected. The connections are still not there outside of safe with networking at all. But the wireless and local are there in safe mode networking. But they don't run. There used to be a 3rd one though that was connected at all times. I'll run quick scans anyways, is there anyway I can put the update file on here and download them to my other computer through my flash drive?

 

[mflynn]

You can update both MBAM and SAS on your good computer and then just copy the folders in program Files to the other computer. Delete the folders first on the infected computer then just copy into Program Files.

We will get the Internet soon!

While you are copying get Norman it is current and not installed and is a stand alone program.

Mike

 

[mflynn]

OK lets go a different route!

So do Norman Malware cleaner from below (in Safe Mode)

If it finds much then after cleaning reboot and run DrWeb

https://www.techspot.com/vb/post724044-3.html

Mike

 

[nb1106]

MBAM and SAS found nothing anyway, Norman is in the middle of the scan. I have oracle 11 on here its taking forever to scan through it. But alright will do with DrWeb. Norman hasn't found anything yet.

 

[mflynn]

OK good on the MBAM and SAS!

Once we are reasonably sure we are clean we will address the Internet connectivity issue.

Mike

 

[nb1106]

Ok so some bad news I guess...Norman didn't pick up much, a few files in the system restore files. However, Dr.Web is clearing house right now. On it's express scan it found and cured Win32.Virut.56 in a ton of exe files and caused my computer to reboot mid cure. On next express scan it cured 2 more files another virut.56 in a .exe in sys32 folder, and a backdoor.zapinit in there as well. Started a complete scan it is at Documents and Settings right now and has cured probably close to a thousand exe files infected with win32.virut.56. This thing seems pretty nasty I found a bunch about it on Google. Doesn't sound like theirs much of a cure other than reformat unless Dr.WEB now does the job?

But after the first express scan however the internet was back up and running along with about 6 process fail alerts not showing up anymore on a regular boot. Just thought I'd let you know whats going on the Norman scan froze at Program files last night so I restarted it and set it to start right there, didn't find anything from that point on. But the scans took about 5 hours. I'll post the logs when Dr.Web is finished.

 

[mflynn]

Is it curing/fixing or delete/quarintining?

OK if we can get DrWeb to certify clean, we may then do a repair install to replace any system files that did get deleted.

What are your thoughts it is your computer, had you rather format and get it over with?

I don't mind at all keeping on at least seeing what DrWeb does.

If we can get clean I am sure a Repair/Overlay install and a Dial-A-Fix run will get all Windows files back in order.

The reason I don't mind going on is I learn from this process also and would be able to help others. Additionally others are watching this thread and it may help them.

You have been a Trooper. You indicated you have other computers but if you need to get this over and get this computer back online then say the word!

Else I am ready to continue!

If we knew from the start what we would run into, then a format would have been the answer. Now with the time invested it is pissing me off and at least I want to learn something!

As I don't give up easily!

Mike

 

[nb1106]

Why not I'll keep going, as it says curing not deleting. If it was deleting I could see where that would be an issue. That's why before I started the complete scan I booted up seeing if anything from the express got better/worse. It in fact did get better at that point, this scan is going to be a long one. I posted that close to an hour ago and it is still in Documents and Settings. Do you still want me to post the log? It is gonna be enormously long.

 

[mflynn]

Alright! Here we go!

Yes zip it if it is large.

If DrWeb can actually cure these files (outstanding) that will be good, and good to know!

Mike

Mike

 

[nb1106]

Dr. Web CureIt will show many files like this. Notice that these aren't just some random files. Pretty much sums it up...

explorer.exe;c:\windows;Win32.Virut.56;Cured.;
imagination studio.scr;c:\windows;Win32.Virut.56;Cured.;
unregmp2.exe;c:\windows\inf;Win32.Virut.56;Cured.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Cured.;
alg.exe;c:\windows\system32;Win32.Virut.56;Cured.;
cisvc.exe;c:\windows\system32;Win32.Virut.56;Cured .;
clipsrv.exe;c:\windows\system32;Win32.Virut.56;Cur ed.;
ctfmon.exe;c:\windows\system32;Win32.Virut.56;Cure d.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Cur ed.;
logon.scr;c:\windows\system32;Win32.Virut.56;Cured .;
logonui.exe;c:\windows\system32;Win32.Virut.56;Cur ed.;

It says cured but that isn't true. Virut spreads back to the newly cured files so it's a never ending process of cleaning and infecting.

Don't like our chances.

EDIT: I am rescanning right now with a custom scan on Dr.Web, if it that post is in fact true I'm not sure how fast it can actually spread back around? But I'm scanning the main infected folders just to double check see what it comes up with. I am scanning i386, System volume information, and Windows.

 

[mflynn]

Purely for the big experiment!

Up to you but proof of that will be another express scan in Safe mode with DrWeb.

If it finds files it cleaned on last scan then Format Time.

If it finds nothing or only a very few then we can drop back and punt!

Mike

 

[nb1106]

Ok so not sure if its being reinfected however there are infections being found. I went down the first 10 of the newly found infections and tried to match them on my posted log. I only found the first two and on the posted log for them two it said it was cured for Win32.Virut.56, now on this it is here again but this time it is for Program.mIRC.623, and the other is for Tool.Prockill. However though the majority of these files continue the list from where it left off at : A0034826.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10;Win32.Virut.56;Cured.;

EDIT: So far there are 530 files found and not one of them is on the previous list besides as mentioned above very few but this time for new reasons.

 

[mflynn]

This may be normal even MBAM, SAS SDFix and ComboFix usually find more and different issues on subsequent runs if there are multiple infections.

Its like after cleaning it exposes things not visible before. This may be why some say this can not be fixed, because even here and on other boards like TechSpot hardly any do secondary scans until the logs are clean.

I was given a hard time when I first came here for doing it (scanning multiple times until the logs were clean). But the proof they say is in the pudding. I don't know what my success rate is but it is bound to be in the high 90%.

So if, I say if you want to, then do another full after the last express and see if they all are not gone.

Basically NB you are doing a service to others to continue. But you have gone beyond the call so up to you!

Mike

 

[nb1106]

I'm gonna keep going if we can get this at least functioning decently enough to use at school by next Thursday I'll keep going. And if these really are curing then that shouldn't be much of a problem. Just in case what would I need for reformat. I'm just making sure I got all my discs here. I've never really done much with this one in terms of reformatting or using the windows disc I got ripped off when I was not to bright and went through my college to buy it. Is it the reinstallation CD, Microsoft Windows XP Professional Service Pack 2?

 

[mflynn]

Well good I glad you are continuing.

As long as we are curing different files. Another reason to continue is if we can't cure it then your dat even Emails on this computer can not be transferred back after reformatting as they woul then reinfect the new windows.

Think about what you have that you really really need to have from this computer,

Mike

That CD will do it if needed.

 

[nb1106]

So some good news now finally. The express scan in fact found nothing but the backdoor that was set to be cured after reset after the first complete scan. Its got about 10% left I'll post that log, which will be combined with the previous log because I forgot to save it and they combine them if you don't clear the data. Then I'm gonna reboot and run another express scan.