TechSpot

Huge Win32/Heur Infection help

By dilasluis
Feb 21, 2009
  1. I have a win32/heur infection on my laptop (VAIO VGN FE-31M, Intel Core 2, 1.83GHz, 2GB ram, win xp sp3 media center edition). I have already taken the 8 steps advised and I attach the logs. Step 5 couldn't be performed because my computer crashs everytime I run SUPERAntiSpyware after finding like 8 threads. I attach also my AVG 8 Internet Security log.
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only Select and Fix the below.
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\c++.exe,C:\WINDOWS\system32\i386kd.exe,C:\WINDOWS\system32\pdbcopy.exe,

    Another run indicated!
    OK there were found/removed items in MBAM so we need to run again as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan will likely find more. So UPDATE MBAM and run again. post log.

    Then ONLY when the above is complete and log posted do the below.

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  3. dilasluis

    dilasluis TS Rookie Topic Starter

    Sorry for taking so long (I am at GMT)...
    Here are the new logs. I was unable to run SDFix because, like SUPERAntiSpyware, the computer crashes showing a blue screen.

    Thank you for your time

    Andy Luis

    Just one more thing, do you think I can connect my iPhone and iPod to my PC while it is infected? Or in another words, does this virus will corrupt an Apple system?
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    OK good job!

    But found some bad!

    Run HJT Scan only select and Fix the below
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe

    Another run indicated!
    OK there were found/removed items in both MBAM and ComboFix so we need to run again as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan will likely find more. So UPDATE MBAM and run again.

    Then run ComboFix again.

    Where is the SuperAntiSpyware log we need it! So get it here.

    Mike
     
  5. dilasluis

    dilasluis TS Rookie Topic Starter

    I can't run SUPERAntiSpyware...

    Every time I run SUPERAntiSpyware and SDFix my computer crashes showing a blue screen.

    Here are the latest logs.

    I can't thank you enough for your time spent helping me.

    Thank you

    Andy Luis
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Well that alone is a sign something is wrong!

    UPDATE and run MBAM and ComboFix again as they had found/repaired items.I need to confirm they are gone or can not complete repairs or clean.

    Then...

    Uninstall the SAS, reboot download and reinstall SAS and update but don't run.

    Boot to Safe mode with Networking and run SAS.

    Mike
     
  7. dilasluis

    dilasluis TS Rookie Topic Starter

    SAS produced no logs...

    I ran SAS on safe mode, once full scan which resulted in 23 infections, and twice quick scan which both resulted in no infections. I went to check for the logs but there were none.

    I tried to run SAS on normal mode then but it resulted on blue screen crash again.

    I ran MBAM twice on quick scan. The first resulted in some infections which I suppose were successfully removed because the second run didn't find anything.

    I attached the new logs.

    P.S.: After SAS, when my computer rebooted, all my win xp themes had disappeared and everything looks like win 3.0.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    To get the SAS logs.
    1. Open SAS
    2.Click Preferences
    3.Click Statistics/logs
    So post me all logs 1 at a time.

    I need to see the MBAM log of what was found. What you had gives insight on how best to continue. Do not omit posting any logs.

    So..

    Open MBAM click logs and sen me the other logs.

    Then ...

    Run ComboFix again as it had some really bad ones and we need to see that they really did go away or finds no more. We want a clean log.

    Mike
     
  9. dilasluis

    dilasluis TS Rookie Topic Starter

    Here are the new logs...

    I was able to find SAS logs... the problem was that the administrator account logs don't show up on my normal account statistics...

    I will have to do 2 replys because I can only attach 5 files at a time...
     
  10. dilasluis

    dilasluis TS Rookie Topic Starter

    And the other 5 logs...

    Here they are...
     
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    Now a fresh combofix log. Install Recovey Cosole.

    Mike
     
  12. dilasluis

    dilasluis TS Rookie Topic Starter

    I already installed recovery console...

    I believe this recovery console comes with combofix... if it's that I installed it on the first combofix run... here is the log
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok that shows these three critical files are infected
    do this to find the backups (hopfully)

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    cd\
    dir /s regedit.exe >"%USERPROFILE%"\Desktop\CFiles.txt
    echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
    dir /s explorer.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
    echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
    dir /s userinit.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
    echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
    dir /s hal.dll >>"%USERPROFILE%"\Desktop\CFiles.txt
    echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
    dir /s svchost.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
    echo --------------------------------
    dir /s spoolsv.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
    exit
    exit
    Now post the cfiles.txt from the new icon on the desktop back to the thread.

    Mike
     
  14. dilasluis

    dilasluis TS Rookie Topic Starter

    New log...

    here it is
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    Sorry I has a typo and corrected it Do it again.

    Mike
     
  16. dilasluis

    dilasluis TS Rookie Topic Starter

    And the new log

    here it is

    Since we begin my computer had returned to classic windows appeareance, a lot of files had been removed like themes and help files, i cannot open links on outlook due to "administrator restriction", I don't have sound or web camera (my drivers were unistalled)... Is all this normal?
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Print this so you will have the commands below.

    When booting chose Recovery Console

    You will be asked to log in.

    At the prompt (Should be C:\WINDOWS>) if not there is a problem stop.
    type
    copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe c:\windows
    copy C:\WINDOWS\ServicePackFiles\i386\svchost.exe c:\windows\system32
    copy C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe c:\windows\system32\spoolsv.exe

    answer yes to over write all the above existing files

    Then type exit to reboot
    Hit the Enter key
    then
    type
    exit

    This will reboot the computer hopefully into windows if not there can be other steps.

    Mike
     
  18. dilasluis

    dilasluis TS Rookie Topic Starter

    I ran Dr.Web and I found win32.virut.56

    Read this and see if it's really impossible to clean and the better is to reformat and reinstall...

    Win32.Virut.56 FYI

    So far Dr.Web found 1000+ infected files in ~800000 files...

    It will take approx more 1.5 hrs to Dr. Web finishes (it's already running for 6hrs...). As soon as it does I will post the logs...
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    Well we will see, I am glad you are being proactive Dr Web is good..

    Before Recovery procees above can you post me the log and another combofix and see what it did to that before you proceed.

    Mike
     
  20. dilasluis

    dilasluis TS Rookie Topic Starter

    Major system corruption!!!!

    Dr. Web took 9 hrs and so to scan computer. It found 5175 infected entrys from which 5151 were win32.virut.56 and the others were program.psexec.170, batch.virus, tool.prockill, trojan.download.29919, trojan.nt, rootkit.2670, trojan.wmaloader, and unkknow threats...

    By the end the search finished I was experiencing major system corruption such that, besides all I've described before, most of my drivers were corrupted and I couldn't access the internet no more (I'm currently posting this at a public pc)...

    I have no choice but to format and reinstall. I followed the indications recommended by this thread in another forum.

    As soon as I have more news/questions on this subject I will post here.

    Thank you for your time
     
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    You may try post #13 to at least get stable enough to get some of the files you need to backup.

    I think if the OS is clear like after a reinstall that data files can be cleaned. It is the OS system files that may can not be cleaned.

    Mike
     
  22. dilasluis

    dilasluis TS Rookie Topic Starter

    I've done it but now I have other problems...

    I sucessfuly re-formated hard drives and reinstalled win xp! I ran Dr. Web on local hard drives and on external hard drives and everything was clean.

    A couple of hours ago, AVG found agent_r.ip on nzm2.exe (a system32 process). I ran Combofix and I believe everything is ok. By the way, how do I unistall Microsoft Windows Recovery Console?

    I have a new problem now but I believe it belongs in a new thread. On signing in to Windows Live Messenger, my contact list doesn't show up. it shows up on windows messenger...

    Oh, and I was about to end this without thanking you... Thanks a lot for your time spent with me. Although I had to re-format, I believe I learned a lot about virus/spyware troubleshooting and next time (I hope there's none but we never can be sure...) I will be a more advanced user...

    Thank You! :wave:
     
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    Why in the world would you want to uninstall something as potentially beneficial as Recovery Console?

    Has no impact at all on how the computer runs, the only cost it incurs is the few seconds it gives to select it and a tiny amount of disk space!

    I don't use instant messengers period so I won't be much help. So start a new thread "Help with Live messenger".

    OK if you did a full format and install and you already have Malware then think about what you have installed, used a Flash drive, accessed another partition or drive, a website, a video or music file, email etc

    This did not come from the windows install.

    I wish we could have fixed it. Yours was a case of to many of the really bad ones at the same time.

    Keep behind them with MBAM SAS DRWeb ever so often so you have an infection instead of an infestation

    My closing may help you so consider it!

    Based on what these recent Malwares are doing to userinit, explorer, spoolsv regedit and others I am planning to write a bat/cmd file to do a special backup for recovery from these and others. So below is a few of the things that will be in it.

    Make a folder CriticalFiles. This should only be done on a Clean System or you may backup bad files. Put on boot drive so as to be handy in case of a repair, then a copy on another partition, even better offline like removable media.

    Then search and copy the following to it.
    1. Boot.ini
    2. ntldr
    3. userinit.exe
    4. Explorer.exe
    5. Regedit.exe
    6. Spoolsv.exe
    7. cmd.exe
    8. The entire i386 folder from your current XP install CD hopefully with latest SP to match what is installed on the HD!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
     
  24. dilasluis

    dilasluis TS Rookie Topic Starter

    Thanks for the tips!

    Just that: thank you!

    Andy Luis:D
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...