I have a win32/heur infection on my laptop (VAIO VGN FE-31M, Intel Core 2, 1.83GHz, 2GB ram, win xp sp3 media center edition). I have already taken the 8 steps advised and I attach the logs. Step 5 couldn't be performed because my computer crashs everytime I run SUPERAntiSpyware after finding like 8 threads. I attach also my AVG 8 Internet Security log.
Huge Win32/Heur Infection help
- Thread starter dilasluis
- Start date
- Status
Run HJT Scan only Select and Fix the below.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\c++.exe,C:\WINDOWS\system32\i386kd.exe,C:\WINDOWS\system32\pdbcopy.exe,
Another run indicated!
OK there were found/removed items in MBAM so we need to run again as the first run likely exposed things that were not even seen the first time.
So another run Quick Scan will likely find more. So UPDATE MBAM and run again. post log.
Then ONLY when the above is complete and log posted do the below.
Download SDFix to Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
Mike
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WINDOWS\system32\c++.exe,C:\WINDOWS\system32\i386kd.exe,C:\WINDOWS\system32\pdbcopy.exe,
Another run indicated!
OK there were found/removed items in MBAM so we need to run again as the first run likely exposed things that were not even seen the first time.
So another run Quick Scan will likely find more. So UPDATE MBAM and run again. post log.
Then ONLY when the above is complete and log posted do the below.
Download SDFix to Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
Mike
Sorry for taking so long (I am at GMT)...
Here are the new logs. I was unable to run SDFix because, like SUPERAntiSpyware, the computer crashes showing a blue screen.
Thank you for your time
Andy Luis
Just one more thing, do you think I can connect my iPhone and iPod to my PC while it is infected? Or in another words, does this virus will corrupt an Apple system?
Here are the new logs. I was unable to run SDFix because, like SUPERAntiSpyware, the computer crashes showing a blue screen.
Thank you for your time
Andy Luis
Just one more thing, do you think I can connect my iPhone and iPod to my PC while it is infected? Or in another words, does this virus will corrupt an Apple system?
OK good job!
But found some bad!
Run HJT Scan only select and Fix the below
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe
Another run indicated!
OK there were found/removed items in both MBAM and ComboFix so we need to run again as the first run likely exposed things that were not even seen the first time.
So another run Quick Scan will likely find more. So UPDATE MBAM and run again.
Then run ComboFix again.
Where is the SuperAntiSpyware log we need it! So get it here.
Mike
But found some bad!
Run HJT Scan only select and Fix the below
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe
Another run indicated!
OK there were found/removed items in both MBAM and ComboFix so we need to run again as the first run likely exposed things that were not even seen the first time.
So another run Quick Scan will likely find more. So UPDATE MBAM and run again.
Then run ComboFix again.
Where is the SuperAntiSpyware log we need it! So get it here.
Mike
Well that alone is a sign something is wrong!
UPDATE and run MBAM and ComboFix again as they had found/repaired items.I need to confirm they are gone or can not complete repairs or clean.
Then...
Uninstall the SAS, reboot download and reinstall SAS and update but don't run.
Boot to Safe mode with Networking and run SAS.
Mike
UPDATE and run MBAM and ComboFix again as they had found/repaired items.I need to confirm they are gone or can not complete repairs or clean.
Then...
Uninstall the SAS, reboot download and reinstall SAS and update but don't run.
Boot to Safe mode with Networking and run SAS.
Mike
SAS produced no logs...
I ran SAS on safe mode, once full scan which resulted in 23 infections, and twice quick scan which both resulted in no infections. I went to check for the logs but there were none.
I tried to run SAS on normal mode then but it resulted on blue screen crash again.
I ran MBAM twice on quick scan. The first resulted in some infections which I suppose were successfully removed because the second run didn't find anything.
I attached the new logs.
P.S.: After SAS, when my computer rebooted, all my win xp themes had disappeared and everything looks like win 3.0.
I ran SAS on safe mode, once full scan which resulted in 23 infections, and twice quick scan which both resulted in no infections. I went to check for the logs but there were none.
I tried to run SAS on normal mode then but it resulted on blue screen crash again.
I ran MBAM twice on quick scan. The first resulted in some infections which I suppose were successfully removed because the second run didn't find anything.
I attached the new logs.
P.S.: After SAS, when my computer rebooted, all my win xp themes had disappeared and everything looks like win 3.0.
To get the SAS logs.
1. Open SAS
2.Click Preferences
3.Click Statistics/logs
So post me all logs 1 at a time.
I need to see the MBAM log of what was found. What you had gives insight on how best to continue. Do not omit posting any logs.
So..
Open MBAM click logs and sen me the other logs.
Then ...
Run ComboFix again as it had some really bad ones and we need to see that they really did go away or finds no more. We want a clean log.
Mike
1. Open SAS
2.Click Preferences
3.Click Statistics/logs
So post me all logs 1 at a time.
I need to see the MBAM log of what was found. What you had gives insight on how best to continue. Do not omit posting any logs.
So..
Open MBAM click logs and sen me the other logs.
Then ...
Run ComboFix again as it had some really bad ones and we need to see that they really did go away or finds no more. We want a clean log.
Mike
Ok that shows these three critical files are infected
Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.
Now post the cfiles.txt from the new icon on the desktop back to the thread.
Mike
do this to find the backups (hopfully)
Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.
Code:
@echo off
cd\
dir /s regedit.exe >"%USERPROFILE%"\Desktop\CFiles.txt
echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
dir /s explorer.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
dir /s userinit.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
dir /s hal.dll >>"%USERPROFILE%"\Desktop\CFiles.txt
echo -------------------------------- >>"%USERPROFILE%"\Desktop\CFiles.txt
dir /s svchost.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
echo --------------------------------
dir /s spoolsv.exe >>"%USERPROFILE%"\Desktop\CFiles.txt
exit
exitNow post the cfiles.txt from the new icon on the desktop back to the thread.
Mike
And the new log
here it is
Since we begin my computer had returned to classic windows appeareance, a lot of files had been removed like themes and help files, i cannot open links on outlook due to "administrator restriction", I don't have sound or web camera (my drivers were unistalled)... Is all this normal?
here it is
Since we begin my computer had returned to classic windows appeareance, a lot of files had been removed like themes and help files, i cannot open links on outlook due to "administrator restriction", I don't have sound or web camera (my drivers were unistalled)... Is all this normal?
Print this so you will have the commands below.
When booting chose Recovery Console
You will be asked to log in.
At the prompt (Should be C:\WINDOWS>) if not there is a problem stop.
type
copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe c:\windows
copy C:\WINDOWS\ServicePackFiles\i386\svchost.exe c:\windows\system32
copy C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe c:\windows\system32\spoolsv.exe
answer yes to over write all the above existing files
Then type exit to reboot
Hit the Enter key
then
type
exit
This will reboot the computer hopefully into windows if not there can be other steps.
Mike
When booting chose Recovery Console
You will be asked to log in.
At the prompt (Should be C:\WINDOWS>) if not there is a problem stop.
type
copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe c:\windows
copy C:\WINDOWS\ServicePackFiles\i386\svchost.exe c:\windows\system32
copy C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe c:\windows\system32\spoolsv.exe
answer yes to over write all the above existing files
Then type exit to reboot
Hit the Enter key
then
type
exit
This will reboot the computer hopefully into windows if not there can be other steps.
Mike
I ran Dr.Web and I found win32.virut.56
Read this and see if it's really impossible to clean and the better is to reformat and reinstall...
Win32.Virut.56 FYI
So far Dr.Web found 1000+ infected files in ~800000 files...
It will take approx more 1.5 hrs to Dr. Web finishes (it's already running for 6hrs...). As soon as it does I will post the logs...
Read this and see if it's really impossible to clean and the better is to reformat and reinstall...
Win32.Virut.56 FYI
So far Dr.Web found 1000+ infected files in ~800000 files...
It will take approx more 1.5 hrs to Dr. Web finishes (it's already running for 6hrs...). As soon as it does I will post the logs...
Major system corruption!!!!
Dr. Web took 9 hrs and so to scan computer. It found 5175 infected entrys from which 5151 were win32.virut.56 and the others were program.psexec.170, batch.virus, tool.prockill, trojan.download.29919, trojan.nt, rootkit.2670, trojan.wmaloader, and unkknow threats...
By the end the search finished I was experiencing major system corruption such that, besides all I've described before, most of my drivers were corrupted and I couldn't access the internet no more (I'm currently posting this at a public pc)...
I have no choice but to format and reinstall. I followed the indications recommended by this thread in another forum.
As soon as I have more news/questions on this subject I will post here.
Thank you for your time
Dr. Web took 9 hrs and so to scan computer. It found 5175 infected entrys from which 5151 were win32.virut.56 and the others were program.psexec.170, batch.virus, tool.prockill, trojan.download.29919, trojan.nt, rootkit.2670, trojan.wmaloader, and unkknow threats...
By the end the search finished I was experiencing major system corruption such that, besides all I've described before, most of my drivers were corrupted and I couldn't access the internet no more (I'm currently posting this at a public pc)...
I have no choice but to format and reinstall. I followed the indications recommended by this thread in another forum.
As soon as I have more news/questions on this subject I will post here.
Thank you for your time
I've done it but now I have other problems...
I sucessfuly re-formated hard drives and reinstalled win xp! I ran Dr. Web on local hard drives and on external hard drives and everything was clean.
A couple of hours ago, AVG found agent_r.ip on nzm2.exe (a system32 process). I ran Combofix and I believe everything is ok. By the way, how do I unistall Microsoft Windows Recovery Console?
I have a new problem now but I believe it belongs in a new thread. On signing in to Windows Live Messenger, my contact list doesn't show up. it shows up on windows messenger...
Oh, and I was about to end this without thanking you... Thanks a lot for your time spent with me. Although I had to re-format, I believe I learned a lot about virus/spyware troubleshooting and next time (I hope there's none but we never can be sure...) I will be a more advanced user...
Thank You! :wave:
I sucessfuly re-formated hard drives and reinstalled win xp! I ran Dr. Web on local hard drives and on external hard drives and everything was clean.
A couple of hours ago, AVG found agent_r.ip on nzm2.exe (a system32 process). I ran Combofix and I believe everything is ok. By the way, how do I unistall Microsoft Windows Recovery Console?
I have a new problem now but I believe it belongs in a new thread. On signing in to Windows Live Messenger, my contact list doesn't show up. it shows up on windows messenger...
Oh, and I was about to end this without thanking you... Thanks a lot for your time spent with me. Although I had to re-format, I believe I learned a lot about virus/spyware troubleshooting and next time (I hope there's none but we never can be sure...) I will be a more advanced user...
Thank You! :wave:
Why in the world would you want to uninstall something as potentially beneficial as Recovery Console?
Has no impact at all on how the computer runs, the only cost it incurs is the few seconds it gives to select it and a tiny amount of disk space!
I don't use instant messengers period so I won't be much help. So start a new thread "Help with Live messenger".
OK if you did a full format and install and you already have Malware then think about what you have installed, used a Flash drive, accessed another partition or drive, a website, a video or music file, email etc
This did not come from the windows install.
I wish we could have fixed it. Yours was a case of to many of the really bad ones at the same time.
Keep behind them with MBAM SAS DRWeb ever so often so you have an infection instead of an infestation
My closing may help you so consider it!
Based on what these recent Malwares are doing to userinit, explorer, spoolsv regedit and others I am planning to write a bat/cmd file to do a special backup for recovery from these and others. So below is a few of the things that will be in it.
Make a folder CriticalFiles. This should only be done on a Clean System or you may backup bad files. Put on boot drive so as to be handy in case of a repair, then a copy on another partition, even better offline like removable media.
Then search and copy the following to it.
1. Boot.ini
2. ntldr
3. userinit.exe
4. Explorer.exe
5. Regedit.exe
6. Spoolsv.exe
7. cmd.exe
8. The entire i386 folder from your current XP install CD hopefully with latest SP to match what is installed on the HD!
Thread Closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
Has no impact at all on how the computer runs, the only cost it incurs is the few seconds it gives to select it and a tiny amount of disk space!
I don't use instant messengers period so I won't be much help. So start a new thread "Help with Live messenger".
OK if you did a full format and install and you already have Malware then think about what you have installed, used a Flash drive, accessed another partition or drive, a website, a video or music file, email etc
This did not come from the windows install.
I wish we could have fixed it. Yours was a case of to many of the really bad ones at the same time.
Keep behind them with MBAM SAS DRWeb ever so often so you have an infection instead of an infestation
My closing may help you so consider it!
Based on what these recent Malwares are doing to userinit, explorer, spoolsv regedit and others I am planning to write a bat/cmd file to do a special backup for recovery from these and others. So below is a few of the things that will be in it.
Make a folder CriticalFiles. This should only be done on a Clean System or you may backup bad files. Put on boot drive so as to be handy in case of a repair, then a copy on another partition, even better offline like removable media.
Then search and copy the following to it.
1. Boot.ini
2. ntldr
3. userinit.exe
4. Explorer.exe
5. Regedit.exe
6. Spoolsv.exe
7. cmd.exe
8. The entire i386 folder from your current XP install CD hopefully with latest SP to match what is installed on the HD!
Thread Closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
- Status
Similar threads
Latest posts
-
"CPUs Don't Matter For 4K Gaming"... Wrong!- GodisanAtheist replied
