To rid the disease

[BobbySocks]

Hello TechSpot users.

Before i dive in to the substance of the matter i feel it's obligatory that i point out how inspiring the work you guys do here is and how much i hope you keep on keeping on!
As for the thorn(s) that drove me to sign up here i wish you and your masters a good riddance.

It all began when my main motherboard fried. Yanked my USB out, PC shut down, never to see the light again. Board went dead. Fine no problem i have a spare OptiPlex GX620 in the basement. Disconnected the dead corpse, hooked up the GX620 and installed an XP SP2 Dell CD i've had from a past machine. Everything went through smoothly. Installed the recommended drivers (in the correct order!), AVG Internet Security, Spybot S&D, and other convenient software like MS Office etc. All this was done offline also. I proceed to reboot as required by the driver installations.

The system restarted, i plugged in my network card, and began to browse the internet to DL other miscellaneous software, namely Firefox, mIRC etc. Everythin was fine up until the point where AVG began reporting some "Win32/Heur" virus detection in my windows folder, randomly spitting out "infected" files like rundll32, regsvr.dll and other native /windows/ files that i knew weren't problematic based on all that i mentioned before. I decided to ignore this and kept on browsing the internet via IE. I found mIRC and dl'd it to my Local C drive with no drama. However, when i come to open the installed mirc.exe the hour glass flashes for a quick second and nothing happens after that. I proceeded into a clicking frenzy for approximately 1minute to no avail. I cycled through everything from attempting to run it from a USB stick to creating a second account and running from there with no success. However, by some luck i found myself right-clicking the exe and choosing the "Run as.." option and ran it under "Current user." End result: the thing opened (even though it kinda froze for a few seconds post-loading). Of course, this puzzled me for a good while. To the point where it led me to think that troubleshooting was a waste of my time! Heh, of course i recovered from this temporary takeover.

In a nutshell these are my main concerns. As sidenotes however, i'd like to add that:

1) i have two occurrences of Notepad.exe and explorer.exe (One set in c:\windows and the other in c:\windows\system32)

2) AVG seldomly detects a Trojan Horse Gen "virus"
3) When i click "System" in the Control Panel i'd get an error dialog with accompanying message along the lines of: "Windows cannot find C:\windows\system32\rundll32.exe. Make sure you typed the blagh blagh" you get the point.
4) Also AVG tends to be regarding every little thing i do with malicious content now. For example it'll pick up my printer's drivers as virus @___@

My System Specs. are as follows:

OS Name: Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2 Build 2600
System Type: X86-based PC
System Model OptiPlex GX620
Processor x86 Family 15 Model 4 Stepping 7 GenuineIntel ~2660 Mhz
BIOS Version/Date Dell Inc. A11, 11/30/2006
SMBIOS Version 2.3
Total Physical Memory 512.00 MB


All input greatly appreciated guys!

 

[hellokitty[hk]]

So you used the Xp SP3 CD that dell gave you for your computer with your old motherboard?
It could possibly have installed the wrong chipset drivers for your motherboard, though that doesn't really seem to be the issue here...but just make sure the motherboards are the same. It seems more like a malware problem.

Curiously your one of the first to take blowing a mobo so easily, and have a spare one right on hand lol.

Great post BTW.

 

[BobbySocks]

well i didnt necessarily "receive" it from dell...lol

My father picked it up on his way from work out of the garbage dump and we got a Dell Reinstallation XP CD from someone and ran it.
Also i think i did kinda mess up the driver installation order compared to what dell recommended for my service tag.....but would that minor detail be able to cause this much annoyance?

also ty for the contribution kitty ^____~

 

[kimsland]

Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Run Startup Control Panel and remove any not required startups: (should be most, except Avira AntiVirus!)

Install Avira free AntiVirus

Have a look at:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Yes yes good post

 

[BobbySocks]

Thanks for the response kimsland

I followed your advice and uninstalled AVG and it forced me to reboot. So i did that. Upon rebooting, however, i was prompted with a Data Execution Prevention dialog box stating that "Windows has closed this program"

Name: Windows Logon UI

I hit close message and got a Dont Send/Send Error Report box. Hit Dont Send and then the pc hung. All i could observe was the beautiful, well co-ordinated colors of my desktop's wallpaper. However, i was not in the mood for that just yet! I decided to see if Task Manager would run..... but no, DEP had to "close this program" just the same. So i was forced to restart.

Rebooted twice only to get the same result. I figured i'd reboot a third time but logon via Administrator and hopefully bear fruitful results. Well, in a sense, i did because i was able to log in to the account, but was still prompted with the DEP closing Windows Logon UI dialog etc. This goes on in an infinite loop after every successive dont send click so i just drag it to the side while i type this post right now.

I will continue on with the remainder of the steps and keep you posted with all that's new.

Thanks guys!

 

[kimsland]

Yes AVG8 has a way of corrupting when Virus\Malware is likely present
The uninstall of this program was still worth it. If I were servicing it, and it had done that, I would have said "of course, just like AVG!"

Next, would be to go to Safe Mode with Networking, and then run the AVG Removal tool (note normally others users, do not need to do this in Safe mode)

Likely at this point I would suggest to continue as far as possible with the 8-step removal guide. And then at last gone back to Normal mode, and at last installed Avira, and then continue the guide again

Please try that
And thanks for your thanks! too.

 

[BobbySocks]

alright kimsland i have completed all that was suggested. the logs are attached if needed

 

[kimsland]

I see you decided to go with Avast Antivirus, even though I stated Avira to you
Avast is still a very good Antivirus (ie that's why it's in the guide) But I would have preferred you just went with what I "suggested"

By the way...


-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab)
Then do the above quoted message, but this time "Remove all found issues"

By the way, you will need to then restart, and run (and attach) a new HJT log
We are at Post#8 and still require the logs, like it's post#1 still

 

[BobbySocks]

Actually kimsland Avira was giving me a hell of a time going thorugh the setup; always returning some sort of "CRC of something changed" and then it'd abort and i'd have to start all over again.
Also my bad about the MBam logs i completely was out of the loop when i was saving that thing, thinking i had removed all the infections it had found. The results were kinda standard though nothing out of the ordinary that i couldnt handle.
Another thing that im pretty curious about is what happened today after i installed SP3 and disabled Data Execution prevention for Windows Logon UI and two other things then rebooted.
Upon rebooting the system, right before it came to the point where it was time for the Logon screen to come up, i received a BSoD saying something along the lines of "Fatal Error Windows Logon Service has been terminated. The System has shut down."
This would go on to continue for two subsequent reboots. I decided to try logging in via safe mode - same thing. Last known good config, same thing. Ran a repair with the XP CD and was able to get back in. The hourglass flashing problem when attempting to open mIRC still lingers however. Bleh, i really dont know what in the world could possibly be the problem..........

 

[kimsland]

Did you run the AVG Removal tool I linked up there?
This really sounds like leftover AVG link scanning issues

 

[BobbySocks]

yes i did but it picked up nothing

 

[kimsland]

Actually here's another one:
Download the archive avg8.zip (removal tool) http://support.kaspersky.com/downloads/products2009/avg8.zip
unpack all files from the archive avg8.zip into one folder
run the file KLeaner.exe
wait until the utility finishes its work
restart your PC
rerun installation of Avira Antivirus

Still issues: Run CCleaner
Then install Avira Antivirus

 

[BobbySocks]

Alright kimsland i think i've been infected with the "w32.virut.*" virus according to avast. In addition, based on all that i've been reading in relation to the virus and all its byproducts thus far, most of its symptoms is quite evident on my PC without a doubt. For example the failure to execute executables, random "sending message.." prompts, arbitrary IEXPLORER.exe popping up and so forth.

Investigating deeper into the situation i came to find out that my USB was also infected, and could well and possibly be the source of the culprit in the first place! (assuming from the various line of actions ive taken during the whole troubleshooting process, with my USB stick)
Unfortunately for me however, i found all this out after i had already injected my infected stick into my Basement PC's port ....no need to question what happened next..

Right now im typing on the OptiPlex in Safe Mode with Networking as it wont load in normal mode; after i enter my user password the system just hangs and shows only my wallpaper. when i hit ctrl+alt+delete nothing happends. The mouse is still up and running though!

i ran a scan on the usb and quarantined all the infected files (.exes mainly) with norton at school, then installed avast for u3 and ran a scan on it again and found nothing this time around. I'm assuming its virut-free atm but im not wiling to bet anything precious on that.

Now im just browsing the internet in hopes of finding a solution to this headache so i can have my babies back in action as soon as possible


edit: i attached an HJT log of a scan i ran in safe mode at the time of this post just in case

 

[kimsland]

Well all these can be ticked and Fixed in HJT Scan

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TEMP\init.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User 'Default user')

I'd recommend running Malwarebytes again too

 

[BobbySocks]

eh it wouldnt let me run hjt again so i just said forget it and did a full reinstall....Everything's as good as new now (i think). I appreciate all the tips and hints you guys suggested throughout this whole dilemma; you dudes are really awesome. Thank you!

edit: in terms of reinforcing security in this new installation kimsland, how would you suggest going about that to prevent things like that happening in the future?

 

[kimsland]

It's all about safe surfing
Thanks for the update :grinthumb

 

[BobbySocks]

Lol alright got it.

As an anti-virus software though would you recommend avast/avira?

edit: You guys are so awesome. Someday i'm definitely looking forward to giving back to this community in some form or another