I have a win32/heur infection on my laptop (VAIO VGN FE-31M, Intel Core 2, 1.83GHz, 2GB ram, win xp sp3 media center edition). I have already taken the 8 steps advised and I attach the logs. Step 5 couldn't be performed because my computer crashs everytime I run SUPERAntiSpyware after finding like 8 threads. I attach also my AVG 8 Internet Security log.

Attached Files

	AVG Internet Security 8.txt (32.3 KB, 2 views)
	mbam-log-2009-02-21 (14-20-24).txt (1.9 KB, 4 views)
	hijackthis.txt (15.7 KB, 5 views)

Run HJT Scan only Select and Fix the below.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe,C:\WINDO WS\system32\actcontroller.exe,C:\WINDOWS\system32\actcontroller.exe,C:\WIND OWS\system32\c++.exe,C:\WINDOWS\system32\i386kd.exe,C:\WINDOWS\system32\pdb copy.exe,

Another run indicated!
OK there were found/removed items in MBAM so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE MBAM and run again. post log.

Then ONLY when the above is complete and log posted do the below.

Download SDFix to Desktop.

http://downloads.andymanchesta.com/R...ools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

Sorry for taking so long (I am at GMT)...
Here are the new logs. I was unable to run SDFix because, like SUPERAntiSpyware, the computer crashes showing a blue screen.

Thank you for your time

Andy Luis

Just one more thing, do you think I can connect my iPhone and iPod to my PC while it is infected? Or in another words, does this virus will corrupt an Apple system?

Attached Files

	log.txt (37.3 KB, 1 views)
	mbam-log-2009-02-22 (09-50-48).txt (3.0 KB, 1 views)
	hijackthis.txt (15.1 KB, 1 views)

OK good job!

But found some bad!

Run HJT Scan only select and Fix the below
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe

Another run indicated!
OK there were found/removed items in both MBAM and ComboFix so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE MBAM and run again.

Then run ComboFix again.

Where is the SuperAntiSpyware log we need it! So get it here.

Mike

Every time I run SUPERAntiSpyware and SDFix my computer crashes showing a blue screen.

Here are the latest logs.

I can't thank you enough for your time spent helping me.

Thank you

Andy Luis

Attached Files

	hijackthis.txt (14.9 KB, 1 views)
	log.txt (37.0 KB, 1 views)
	mbam-log-2009-02-22 (13-59-27).txt (2.0 KB, 1 views)

Well that alone is a sign something is wrong!

UPDATE and run MBAM and ComboFix again as they had found/repaired items.I need to confirm they are gone or can not complete repairs or clean.

Then...

Uninstall the SAS, reboot download and reinstall SAS and update but don't run.

Boot to Safe mode with Networking and run SAS.

Mike

I ran SAS on safe mode, once full scan which resulted in 23 infections, and twice quick scan which both resulted in no infections. I went to check for the logs but there were none.

I tried to run SAS on normal mode then but it resulted on blue screen crash again.

I ran MBAM twice on quick scan. The first resulted in some infections which I suppose were successfully removed because the second run didn't find anything.

I attached the new logs.

P.S.: After SAS, when my computer rebooted, all my win xp themes had disappeared and everything looks like win 3.0.

Attached Files

	hijackthis.txt (15.6 KB, 0 views)
	log.txt (37.8 KB, 1 views)
	mbam-log-2009-02-22 (17-37-30).txt (831 Bytes, 2 views)

To get the SAS logs.
1. Open SAS
2.Click Preferences
3.Click Statistics/logs
So post me all logs 1 at a time.

I need to see the MBAM log of what was found. What you had gives insight on how best to continue. Do not omit posting any logs.

So..

Open MBAM click logs and sen me the other logs.

Then ...

Run ComboFix again as it had some really bad ones and we need to see that they really did go away or finds no more. We want a clean log.

Mike

I was able to find SAS logs... the problem was that the administrator account logs don't show up on my normal account statistics...

I will have to do 2 replys because I can only attach 5 files at a time...

Attached Files

	hijackthis.txt (15.3 KB, 1 views)
	log001.txt (44.2 KB, 1 views)
	log002.txt (38.7 KB, 1 views)
	log003.txt (38.3 KB, 1 views)
	mbam-log-2009-02-22 (17-17-35).txt (2.1 KB, 1 views)

Here they are...

Attached Files

	mbam-log-2009-02-23 (11-04-45).txt (1.2 KB, 1 views)
	mbam-log-2009-02-23 (11-07-04).txt (832 Bytes, 1 views)
	SUPERAntiSpyware Scan Log - 02-21-2009 - 21-40-58.txt (1.6 KB, 1 views)
	SUPERAntiSpyware Scan Log - 02-22-2009 - 20-03-32.txt (1.3 KB, 1 views)
	SUPERAntiSpyware Scan Log - 02-23-2009 - 12-50-42.txt (465 Bytes, 1 views)

Now a fresh combofix log. Install Recovey Cosole.

Mike

I believe this recovery console comes with combofix... if it's that I installed it on the first combofix run... here is the log

Attached Files

log.txt (44.8 KB, 2 views)

Ok that shows these three critical files are infected
do this to find the backups (hopfully)

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt.
Now post the cfiles.txt from the new icon on the desktop back to the thread.

Mike

here it is

Attached Files

CFiles.txt (3.9 KB, 2 views)

Sorry I has a typo and corrected it Do it again.

Mike

here it is

Since we begin my computer had returned to classic windows appeareance, a lot of files had been removed like themes and help files, i cannot open links on outlook due to "administrator restriction", I don't have sound or web camera (my drivers were unistalled)... Is all this normal?

Attached Files

CFiles.txt (4.7 KB, 1 views)

Print this so you will have the commands below.

When booting chose Recovery Console

You will be asked to log in.

At the prompt (Should be C:\WINDOWS>) if not there is a problem stop.
type
copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe c:\windows
copy C:\WINDOWS\ServicePackFiles\i386\svchost.exe c:\windows\system32
copy C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe c:\windows\system32\spoolsv.exe

answer yes to over write all the above existing files

Then type exit to reboot
Hit the Enter key
then
type
exit

This will reboot the computer hopefully into windows if not there can be other steps.

Mike

Read this and see if it's really impossible to clean and the better is to reformat and reinstall...

Win32.Virut.56 FYI

So far Dr.Web found 1000+ infected files in ~800000 files...

It will take approx more 1.5 hrs to Dr. Web finishes (it's already running for 6hrs...). As soon as it does I will post the logs...

Well we will see, I am glad you are being proactive Dr Web is good..

Before Recovery procees above can you post me the log and another combofix and see what it did to that before you proceed.

Mike

Dr. Web took 9 hrs and so to scan computer. It found 5175 infected entrys from which 5151 were win32.virut.56 and the others were program.psexec.170, batch.virus, tool.prockill, trojan.download.29919, trojan.nt, rootkit.2670, trojan.wmaloader, and unkknow threats...

By the end the search finished I was experiencing major system corruption such that, besides all I've described before, most of my drivers were corrupted and I couldn't access the internet no more (I'm currently posting this at a public pc)...

I have no choice but to format and reinstall. I followed the indications recommended by this thread in another forum.

As soon as I have more news/questions on this subject I will post here.

Thank you for your time