Please help me with Win32/Heur

[vladis]

(Sorry for my English)
I also have big problem with this Win32/heur virus. I restarted my PC and boot to Safe mode with Network.
I have read your UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and I've done all the steps. Before doing that let me tell you that I had disabled System Restore.
I attached to this thread the logs that you require to help me get rid of this virus once and for all.

Some notes:
1. It is neccesary to scan my computer with Avast or Avira first? I scanned it with AVG.
2. After step 4 (Malwarebytes Scanning) I didn't need to restart my computer.
3. After step 5 (SUPERAntispyware Scanning) I restarted my computer.
4. When I restarted my computer from step 5 I opened the task manager and I noticed the following files running: reader_s.exe, 4.tmp, A.tmp and iexplore.exe without having opened it myself. And then I terminated them manually. Malwarebytes and SUPERAntispyware found those files and deleted them but after rebooting the computer they reappeared.
5. I could't install Java on safe mode (because of Administrator rights) so I rebooted in normal mode and installed it.
6. I rebooted again in Safe mode with network and run Hijackthis. And again I opened the task manager and I noticed some strange proccesses running and I terminated them manually: 8.tmp, iexplorer.exe (again without having opened it myself) and reader_s.exe
7. After all these steps I scanned my computer with avast antivirus (avast scanned before Windows loading) and found 9 files with virus. Some of them were these files I metioned above (8.tmp, 4.tmp etc.) But avast found also virus in the file C:\Windows\System32\drivers\ndis.sys and to C:\Windows\System32\dllcache\ndis.sys and C:\Windows\System32\oobe\msoobe.exe. I deleted these files and now I don't have Network Connections. I tried reinstalling my network adapter and I also followed some instructions in the topic: "Network connections and sound not working after malwarebytes" regarding the network and Internet Connection but nothing happened. I tried to copy the missing ndis.sys file from another computer but then I had BSOD.

I think that now I'm not infected by win32/heur, but now I don't have network and Internet.

 

[vladis]

Can anyone help me to this? I'm about to format my PC. I think that i'm not ifected now but I don't have any Network Connections to Network Places. I'm guessing that because I delete these files with Avast, I don't have Internet and Network now. Please someone help me

 

[mflynn]

Run HJT Scan only select and fix the below
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ÓõíäÝóåéò
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O23 - Service: Õðçñåóßá åõñåôçñßïõ (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

You have Avast (keep it) and AVG (uninstall it)
In Control panel Add/remove programs uninstall it and reboot

Then run download and run..
AVG remover: http://www.grisoft.cz/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Download extract and run Kleaner http://support.kaspersky.com/downloads/products2009/avg8.zip

Then..

Another run indicated!
OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE run again. Attach logs.

Mike

 

[vladis]

I'm still infected! Here are the log files.
What about my network and Internet Connections and the missing ndis.sys file/ Do you have any idea about them?

 

[mflynn]

Hold on of course you are still infected! But we will get it. yes i know about NDIS.

Another run indicated!
OK there were found/removed items in MBAM so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE MBAM and run again. Attach logs.

Only after the above is run and log posted do the below!

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[vladis]

Ok I runned MBAM again and found nothing (to let you know all the steps that I'm doing, I do it in safe mode). Now I should run SDFix and ComboFix or I should wait for you to see the attached log file nad tell me what to do next?

 

[mflynn]

Do it to it!

Run SDFix and post log then ComboFix.

Mike

 

[vladis]

I run SDFix but it didn't prompt me hitting the Enter key in order to restart (I waited about 15 minutes) so I restarted by pressing the usual buttons (Alt, Ctrl & Delete). After restarting the system manually the SDFix didn't run at all at normal mode. I will try again the steps from the beginning.

 

[mflynn]

Ok if you were doing it in Safe Mode then skip it and do ComboFix.

If you were not doing it in Safe Mode then boot to Safe mode and try again.

Mike

 

[vladis]

I did it in safe mode (then it didn't prompt to hit the enter), I restarted manually, I boot in normal mode but nothing happened (sdfix didn't run at all).
I run ComboFix (at safe mode always) and a window appeared telling me that I should close Avast because it is interfering with it. I checked to task manager but all I could see was these files: cmd.execf, csrss.exe, explorer.exe, lsass.exe, NirCmd.cfexe, servises.exe, smss.exe, svchost.exe (x3 times), System, taskmgr.exe, winlogon.exe. I pressed OK to the prompt window and another appeared telling me: " *avast! antivirus 4.8.1335[VPS 090218-0] the above real time scanner(s) are still active but ComboFix shall continue to run. Kindly note that this is at your own risk. "

What should I do now? Press "ok" or avast is indeed running and I must close it somehow?

 

[mflynn]

Go anyway! For now.

See this disabling protections: Turn off protections. http://www.bleepingcomputer.com/forums/topic114351.html

Back on after our scans.

Mike

 

[vladis]

The link you gave me doesn't work

 

[mflynn]

The entire site is offline. I hope it is temporary we just lost castlecops a valuable resource.

Right click the A icon in the system tray (bottom right of screen) then click Stop on-access protection

Mike

 

[vladis]

Ok it worked but as I told you avast isn't open and running on my computer. The only thing this link was saying was to right click on the icon and choose to Stop it. But I have no icon of avast open and I don't see any of avast's files-processes in the task manager. I pressed ok on the second popup window that Combofix showed me, but I waited for about 30 minutes and the only thing I was seeing was a blue cmd screen saying: "Scanning for infected files... This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double"


My friend I am very thankful that you are trying to help me (even if you don't know me), but maybe I should format and end the story? I don't like to have you tired or frustating because my PC is nut! (again sorry for my english, I don't want to offend you by any of this)

 

[mflynn]

That is why I am here to help!

I don't give easily or not at all. But these thing go to a point where they break loose and all begins to work.

I would hold off for a little longer.

If it worked as posted ten where is the ComboFix log.

We have cleaned up many things is there improvement at all?

Mike

 

[vladis]

Thank you very much for your help though!
I told you that I don't have any combofix log, beacause combofix is still scanning for infected files! The only thing I see at this time at my screen is "Scanning for infected files... This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double". And I opened ccleaner and I disabled Avast from running at startup but Combofix prompt me again that I have it open.

Yes we cleared (I think) the virus but now I don't have Internet and Network Connections. I checked again with MBAM and with SAS (Quick Scans)but they found nothing (thank God).

I don't give up easily too. I don't like formating my Computer neither other people's computer (I'm kinda of PC Technician, but nothing serious. I do another job for living), but this time I'm almost to my limits!

 

[mflynn]

OK give it 10 more minutes then abort it.

Lets try to fix the Internet.

Do this..

Open SAS Click Preferences-Repairs
Then counting down from top do the following entries

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

When finished reboot

Test internet and working or not do the below.

Get Nod32

Download http://finalbuilds.edskes.net/nod32.htm
If the above link if it fails go to http://home.hccnet.nl/h.edskes/mirror.htm

Slide down near bottom of page find nod32, to the right will be 3 Mirrors marked Online try each one of them will work.
Boot to,Safe mode only to run.

Before Scanning click Setup and click all boxes under Scan typically only System memory is not checked. So check it. Then click logging, Then Scan and clean.

It is very thorough and may detect some other malware cleaners as a threat so if it seems to point say SpyBot then click Leave.
If you have doubt about and issue then Quarintine it and it can be restored.

Depending on CPU and HD speed and the fact we are in (Safe Mode slower also) it could take a while.

Mike

 

[vladis]

I finished with te repairs and it prompt for restart and pressed ok it showed me "in a flash" an error about a dll but I didn't managed to see what it was.
I rebooted in normal mode and again I didn't have Network or Internet. In this point let me tell you what I noticed.

I noticed that when I go in the properties of my network places I don't see any adapter. And when I go in device manager in the Network Adapters I see some adapters for the first time in my Computer such as:
Bluetooth Lan Acces Server Driver - Package Schedule Miniport (I tried to translate in english because I see it in Greek)
NVIDIA nForce Networking Controller
NVIDIA nForce Networking Controller - Package Schedule Miniport
Realtek RTL8139 Family PCI Fast Ethernet NIC - Package Schedule Miniport
Wan Miniport (IP)
Wan Miniport (IP) - Package Schedule Miniport
Wan Miniport (L2TP)
Wan Miniport (PPPOE)
Wan Miniport (PPTP)
Wan Miniport (Network Control)
Wan Miniport (Network Control) - Package Schedule Miniport
Direct Parallel
IR Port

all the above have a yellow exclamation mark on it


I downloaded and installed Nod32. At the end of the installation i get a window saying: "checking CRC of NOD32.exe: file is corrupted, possibly due to infection.
I pressed ok and I started the scaning as you instructed me.

 

[mflynn]

OK go into Device manager and rt click and uninstall all items with a yellow Exclamation point(!).

And any items in Unknown devices if any.

Then reboot they should all reinstall correctly.

Let me know.

Mike

 

[vladis]

I tryied to do that before you told me but the system doesn't let me uninstall it. It says (I will try again to translate in English) that the removal of the installation of the device failed. Maybe the device must reboot the computer. I rebooted several times but the devices are still there.

NOD32 cannot quarantine any item that finds a virus. It can only clean or delete the infected files and almost all of them are infected with the virus win32/Virut.NBK.

 

[vladis]

Ok now I think I must format my computer! NOD32 deleted a lot of files in Windows\system32 and Windows\dllcache and to other system folders that were infected with win32/Virut.NBK.
Now i booted to safe mode and Nod32 has deleted also Explorer.exe! I pressed File->New Task-> wrote explorer.exe, in Task Manager, and I get a window telling me that Windows cannot find it! Thank you very much for your time and help and next I think I will be more careful when downloading Cracks from Internet. I think from now on I will buy the programs or will find freewares!

 

[mflynn]

Yes be careful! That is the most sure way to get infected.

But since we haveremoved most Malware you should try a Repair install first if it don't work then do a full install.

A repair install fixes Windows (things like Explorer) but keeps all programs data email photos etc.

If it works your computer will come back up as it always has.

To do a Repair install do this..

Boot from Windows CD
Hit Enter to install
At a point it will ask if you wish to Repair windows using the (R) Recovery console
Decline that first R and continue
Windows should continue and indicate it has found an existing Windows installation
It will offer (R) To repair.
Hit R
From there it looks like a normal windows install and whe it finishes should boot back to your old desktop.

Let me know if you do the Repair when it come up to your old desktop.

Mike

 

[vladis]

I didn't do a repair. I did a full install. I disabled the other two HDD's I had in my system first, because I think they are infected with win32/heur and win32/virut.nbk too. Can you suggest me how I am going to clean them without infecting my system again?

 

[mflynn]

Install Avira from the 8 Steps update and do a full scan after reconnecting the drives.

Most Malware and Viruses want to get into the OS (Windows) yours is now clean. So the Virus scanner can easily clean those that are outside windows.

After a full scan with Avira if Avira did find issues then do the MBAM SAS SDFix and ComboFix steps to be sure. Post Logs

Mike

 

[vladis]

Avira found on my other 2 drives almost 500 hundred files (exe's) infected with the win32/virut.gen virus. It cannot clean-repair the files, it only can put them into quarantine which means I can't use them anymore! Is there a way or a tool, antivirus etc that can heal those files? I can't lose them all because they are setup files for programs, games etc. that I have collected many years. Is there a way to heal them or I must start looking for them over the Internet again?

As soon as I finish with the scans of MBAM SAS SDFix and ComboFix I will sent you the logs.