Win32/heur virus and other problems

[rachwcu]

Hi,

I'm going to start by saying that I am not particularly computer literate, so I may need extra instructions if things get too technical. I am having quite a few problems with my computer, which may or may not all be connected to a virus. I have Vista, if that info is needed.
The Problems:
1) My Windows updates are not working. I have no idea if this is related.
2) I had the free version of AVG, and a few days ago it detected a win/32 heur virus. Once it detected this virus, it stopped working. AVG would not complete a scan, it usually got stuck when it was scanning C://windows/SYSTEM (or something like this). I tried three times to complete a scan, leaving it scanning for as much as 24 hours, and it did not work. Thinking that there was some kind of problem with AVG, I uninstalled it, and tried to reinstall. It will not reinstall. During this time, I also could not connect to update AVG...I don't know if this is related.
I then installed Avast, and encountered the same problem. It got stuck at the same place as AVG did.
3)I tried to run Spybot, which did not work at all (It would not even open, and a message came up that said it was not working). I tried to uninstall Spybot, and it did not completely uninstall. I have no idea why or how to fix this. I cannot reinstall Spybot either, it says: "Error sending request. The Server name or address could not be resolved". I could not access safer-networking.org through either IE or Firefox.
4)I am being redirected through Google to random sites. It happens if I click on a link. If I type directly into the bar thingie (lol, oh geez...don't know what its called), it will connect with the correct website.

I read through a bunch of posts, and found the 8-step guide, but I wanted to check in and see if there was anything I should do before the 8-steps. I removed my uTorrent program like it said, I don't have any other filesharing/P2P programs as far as I know.

If anyone could help, that would be great. Please let me know if you need other info...I'm sure I've left stuff out, I'm just not sure what! I'm not sure what the first step should be, since I cant run a proper AntiVirus scan...
Thanks!

 

[rachwcu]

Ok, just an update: I am trying one more time to run a virus scan, using avast. In the first 10 seconds it found "Suspicious Files". They are:
"C:\Windows\system32\Drivers\gxvxcdkrnelexcooyconsqnvqmfpqtpurybdb.sys" Type: Rootkit:hidden file"
"C:\Windows\system32\drivers...(same as above)" Type: hidden services"

I am submitting the files to the virus lab, and ignoring, as I'm not sure I should delete... I just clicked ignore and it said it detected a virus in the operating memory and performing a boot scan. I am going to do the restart and boot scan, and I'll post back what happens. I think it will freeze again, and if it does, I'm going to cancel the scan, and just wait for a reply from someone here.

Again, Thanks!

 

[rachwcu]

Another update: I ran the Avast boot scan, and it completed. It found 1 thing:
"C:\Windows\System32\drivers\gxvxcdkrnelexcooyconsqnvqmfpqtpurybdb.sys" "Infected by Win32:Alureon-R [Rtk]". I chose the option "Move to Chest", as I was not sure whether I should delete or not.
Now that I've successfully completed a virus scan, I'm going to download the Comodo Firewall, and continue with the steps in the guide.

Sorry about all of the updates, I just wanted to make sure all the information I had was available to whomever chooses to help.
Thanks!

Ok...I've tried to download both Comodo and Zonealarm through this site, and the main company's sites and got Page Error messages. To get around this, I did a google search, and am downloading Zonealarm through "download.cnet.com"... I'm hoping this is reliable, because I can't seem to get it any other way.

 

[rachwcu]

Finally made it through all 8 steps!
I was unable to update Malwarebytes or Zonealarm. I could update SuperAntiSpyware.

Logs are attatched...I'm not positive that I did it right, but it seems like they're there.

Thanks.

 

[touch]

Hello rachwcu, it looks right

Please download combofix here -> https://www.techspot.com/downloads/5587-combofix.html

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.


Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::

Snapshot::

File::
C:\Windows\system32\Drivers\gxvxcdkrnelexcooyconsqnvqmfpqtpurybdb.sys

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[rachwcu]

Ok...computer illiterate person needs further instructions meant for a dummy.

How do I rename Combofix?
Once I drag the .txt file into Combofix does it automatically reboot?

 

[touch]

See if you can run combofix without rename it,

Otherwise - rightclick on combofix - Rename.

No, when you drag CFScript.txt into ComboFix.exe, it will scan your computer, if combofix need to reboot, it will do it by itself

 

[rachwcu]

I'm having some trouble with combofix. I've followed the instructions to the letter, but once the window pops open and says its going to try to setup a new system restore point, it freezes. There is a warning/disclaimer popup right after the combofix blue screen pops up, if that may be a problem. Also, some sort of small window pops up loading something, I think related to the system restore. I've tried it three times, with no results; no log. I've left the window open for hours, and it never goes farther than that. Any suggestions on how to make it work? It's possible I downloaded it wrong or something, or I need to turn something off I don't know about...

 

[touch]

Ok Then I´ll suggest you try combofix from safe mode ->

"Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows Xp Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode."

 

[rachwcu]

Combofix is still not working, even in safe mode. It said something like "Access denied, run as administrator", but then would proceed to trying to setup a system restore point, and then it just sits there, doing nothing. I'm not sure whats up with that. I tried to run as admin (I'm using Vista, if theres some special way to run combofix), but couldn't figure out how to run as admin AND drag the CFScript.txt into 123.exe. They both open the program automatically...
Any other suggestions?

 

[touch]

Ok. Then try this scanner -


Download DDS and save it to your desktop from here http://download.bleepingcomputer.com/sUBs/dds.scr)
or here (http://www.forospyware.com/sUBs/dds)

And then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Attach DDS.txt back to your topic.

 

[rachwcu]

the file attach.txt never popped up, here is the dds.txt file

 

[touch]

Please download http://swandog46.geekstogo.com/avenger2/download.php
by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger2.exe to your desktop

Start Avenger

Files to delete:
c:\windows\system32\CF31361.exe
c:\windows\system32\CF30835.exe
c:\windows\system32\CF30728.exe
c:\windows\system32\CF32470.exe
c:\windows\system32\CF28565.exe
c:\windows\system32\CF28477.exe
C:\32788R22FWJFW.1.tmp
c:\windows\system32\CF28379.exe
C:\32788R22FWJFW.0.tmp
c:\windows\system32\CF28183.exe
c:\windows\system32\CF7548.exe
c:\windows\system32\CF21826.exe
c:\windows\system32\CF7846.exe
c:\windows\system32\CF6158.exe
c:\windows\system32\CF5913.exe
c:\windows\config\bkteni.bak2
c:\windows\system\sodavaj.bak2

Copy/Paste all the text in the above quote box into the main window
Click Execute

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions.

This log file will be located at C:\avenger.txt

Attach C:\avenger.txt in next reply. If you can run combofix now, please attach that log as well

 

[rachwcu]

I am still not able to run combofix. Here's the avenger file.
Thanks.

 

[touch]

Ok. Try malwarebyte again, slightly different -

Download malwarebyte
http://www.download.com/Malwarebyte...4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.

If automatic update fail, download to Desktop the manual update ->
http://www.gt500.org/malwarebytes/mbam-rules.exe
Doubleclick on the exe file

This manual updater should get you fairly recent.
Reboot to Safe mode.

Go into the Malware folder in through Program Files
Rename the mbam.exe to 123.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.

Restart your computer and attach the log