8 steps completed, here's my logs

Is it curing/fixing or delete/quarintining?

OK if we can get DrWeb to certify clean, we may then do a repair install to replace any system files that did get deleted.

What are your thoughts it is your computer, had you rather format and get it over with?

I don't mind at all keeping on at least seeing what DrWeb does.

If we can get clean I am sure a Repair/Overlay install and a Dial-A-Fix run will get all Windows files back in order.

The reason I don't mind going on is I learn from this process also and would be able to help others. Additionally others are watching this thread and it may help them.

You have been a Trooper. You indicated you have other computers but if you need to get this over and get this computer back online then say the word!

Else I am ready to continue!

If we knew from the start what we would run into, then a format would have been the answer. Now with the time invested it is pissing me off and at least I want to learn something!

As I don't give up easily!

Mike

Why not I'll keep going, as it says curing not deleting. If it was deleting I could see where that would be an issue. That's why before I started the complete scan I booted up seeing if anything from the express got better/worse. It in fact did get better at that point, this scan is going to be a long one. I posted that close to an hour ago and it is still in Documents and Settings. Do you still want me to post the log? It is gonna be enormously long.

Alright! Here we go!

Yes zip it if it is large.

If DrWeb can actually cure these files (outstanding) that will be good, and good to know!

Mike

Mike

Don't like our chances.

EDIT: I am rescanning right now with a custom scan on Dr.Web, if it that post is in fact true I'm not sure how fast it can actually spread back around? But I'm scanning the main infected folders just to double check see what it comes up with. I am scanning i386, System volume information, and Windows.

Purely for the big experiment!

Up to you but proof of that will be another express scan in Safe mode with DrWeb.

If it finds files it cleaned on last scan then Format Time.

If it finds nothing or only a very few then we can drop back and punt!

Mike

Ok so not sure if its being reinfected however there are infections being found. I went down the first 10 of the newly found infections and tried to match them on my posted log. I only found the first two and on the posted log for them two it said it was cured for Win32.Virut.56, now on this it is here again but this time it is for Program.mIRC.623, and the other is for Tool.Prockill. However though the majority of these files continue the list from where it left off at : A0034826.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10;Win32.Virut.56;Cured.;

EDIT: So far there are 530 files found and not one of them is on the previous list besides as mentioned above very few but this time for new reasons.

This may be normal even MBAM, SAS SDFix and ComboFix usually find more and different issues on subsequent runs if there are multiple infections.

Its like after cleaning it exposes things not visible before. This may be why some say this can not be fixed, because even here and on other boards like TechSpot hardly any do secondary scans until the logs are clean.

I was given a hard time when I first came here for doing it (scanning multiple times until the logs were clean). But the proof they say is in the pudding. I don't know what my success rate is but it is bound to be in the high 90%.

So if, I say if you want to, then do another full after the last express and see if they all are not gone.

Basically NB you are doing a service to others to continue. But you have gone beyond the call so up to you!

Mike

I'm gonna keep going if we can get this at least functioning decently enough to use at school by next Thursday I'll keep going. And if these really are curing then that shouldn't be much of a problem. Just in case what would I need for reformat. I'm just making sure I got all my discs here. I've never really done much with this one in terms of reformatting or using the windows disc I got ripped off when I was not to bright and went through my college to buy it. Is it the reinstallation CD, Microsoft Windows XP Professional Service Pack 2?

Well good I glad you are continuing.

As long as we are curing different files. Another reason to continue is if we can't cure it then your dat even Emails on this computer can not be transferred back after reformatting as they woul then reinfect the new windows.

Think about what you have that you really really need to have from this computer,

Mike

That CD will do it if needed.

So some good news now finally. The express scan in fact found nothing but the backdoor that was set to be cured after reset after the first complete scan. Its got about 10% left I'll post that log, which will be combined with the previous log because I forgot to save it and they combine them if you don't clear the data. Then I'm gonna reboot and run another express scan.

10-4

Fantastic!

Mike

Here's the log. The express after reboot was clean. The complete scan is just starting documents and settings and is clean.

You are going to jump thu this computer screen at me when I ask you this, but when Full DrWeb is finished go back where you got DrWeb and D/L and run NOD32 cleaner in Safe mode!

Now that we seem to be clean I want another very good and powerful program like NOD to confirm it even again!

Mike

Sounds good, will be some time I'd imagine before those are both done. At this time DrWeb has only found one infection during this complete scan and its inst.exe of aol and its marked as probably backdoor.trojan. Will post logs as they come.

Second Complete scan. Letting NOD run through the night along with another express in the morning. Will post both logs.


EDIT: NOD found a trace of virut. Guess that's bad news. But only one trace. And its in a .exe file that is locked in a rar file.

That is Great! I have always had great respect for DrWeb but this sends that thu the roof!

If nod and drweb express both come up clean then....

The following is to get your system back to normal and fix any missing Windows Components and dll's etc. And preparation for SP3 which will for sure finish up things.

This has to be done in normal mode so after the SP3 download unplug network then turn off both Windows Firewall if on, and Zone Alarm, also turn off Avira. This is so they do not interfere with the install of SP3. I will tel you below when to do this.
----------------------------------------------------------------------------------------------------------------------------------
Boot to Safe Mode

Cleanup temps and Registry and System Restore (you should already have these programs from earlier)
.
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
---------------------------------------------------------------------------------------------------------------------------------
The issues were found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Only after the above redownload SAS install update and run attach log.

All of above in Safe Mode networking.
----------------------------------------------------------------------------------------------------------------------------------
Boot back to Normal Mode

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Flush icons
Process idle Tasks
Reinstall Automatic Updates Service
Reinstall BITS
Reinstall Defrag
Reinstall Help and Support service
Reinstall Windows Firewall
Repair Permissions

Watch for any File not found or other errors and make note as this may lead to something needing to fixed!

Then,,

Download the full offline SP3 install from here.

http://www.microsoft.com/DownLoads/...a8-5e76-401f-be08-1e1555d4f3d4&displaylang=en

Then turn off items as indicated above and install SP3!

When finished plug cable back up and reboot, when back up run in the order below..

Paranoid check!

Update MBAM run Quick Scan
Update SAS run Quick scan
Run ComboFix
Then from Safe Mode run SDFix

Post all logs.

Mike

Well I was just indicating that NOD had found a trace of the virut.56 in a rar file. It said it could not be quarantined then I manually deleted the rar file off that and the flash drive. Then until this point it found one more trace and successfully was cleaned. It also did not finish because NOD doesn't manually clean/delete/quarantine/ignore files until you verify which to do by a pop up. So it is only at oracle right this second. Still a lot to go hopefully clean. Then I'm not going to be here at all today until at least 8 tonight so I'm going to run another Dr.Web to be completely sure that its gone. I don't wanna do all that and then find out I have to do it all over again. Will let you know how it goes!

Yep good idea! Leave it working while you are busy with other things.

I feel good about this now!

Mike

Alright so I ended up running two more Dr.Web's complete. And in the middle of running a 3rd NOD32 scan. I'm pretty sure were good to go. So far on this scan NOD has only picked up a few viruses, which are the ones quarantined in rar files by Dr.Web. NOD has picked up a few Virut traces but from what I can see all of them are in rar files which I would image we do need to remove, besides the quarantined ones unless those should be removed as well? But if you think I'm ready for the next step let me know. Both Dr.Web scans were clean, if you'd like the NOD32 logs let em know.

I would clean all Quarantines and delete any zips/rar files that still contain issues if possible.

If there are important files and you think it is important I would extract them on another drive or partition and scan again immediatly with DrWeb.

Yeah just in case I see something you don't postthe no32 logs.

Mike