Very bad system

[plasma dragon00]

hey guys, sorry to pull this on on you, but im working on a pc for my friend of mine, and it is infected beyond belief. so many randomly named entries in startup (disabled all, now i can get on system) cant download ANYTHING though so i had to burn a cd from my good comp.

she had no AV, firewall, or anti malware/spyware installed...

safe mode wont see my disk (its rewriteable, maybe i should try normal) and normal mode is having a hard time copying/running from it... dare i risk plugging the flash drive i put into her pc back into mine... i think im gonna risk it. i have enough programs that should catch any nasties coming through

wait, here goes a copy from the cd!

anyway, while this attempts to copy, if i cant run it off of the cd, what shall i do? im going to run a combofix also, i cant see a harm in doing so (i wont be running any scripts for it yet anyway)... but if someone has anything against that, speak now lol.

no logs here yet, but if anyone has any ideas on what to do to start, please let me know.

btw, i also manually found and deleted command.exe. heard it was a virus. siting in my recycle bin right now.

edit - copied programs to my flash drive, no problem. so many things, as shown by an avast sca, are infected by Win32:Vitro virus. also Win32:Trojan-gen {Other}. boot time scans ftw.

edit - also Win32: Driller

 

[plasma dragon00]

ya know what, nevermind on the help. the computer is FUBAR. an avast! boot time scan found 1501 infected files, many belonging to windows critical files. upon boot (in reg and safe mode) it logs the user on, shows desktop wallpaper, and promptly logs you off. i gotta hook it up to my pc, remove my hard drives, and copy it all to a drive or burn it to a disk using linux (her pictures and music, forgot to say that) actually, given the burners work, i can do it from her computer i guess. once i can get the logfile, ill post it here for the lulz.

 

[Bobbye]

Please follow the steps in the Virus and Malware Removal HERE:

When you have finished, please attack the three logs on your reply.

Please do NOT run any other programs, including ComboFix unless your helper instructs you to do so.

 

[plasma dragon00]

Theres the virus log, whoever feels like taking a look at it, go ahead. if not, thats fine, im formatting the system and reinstalling windows

DBAN DoD 5220.22-M 7 passes, 2 rounds. I want to make sure everything here is dead lol.

feel free to close this

 

[Bobbye]

Well, you get the prize for the most infected files I've ever seen! A distinction you surely don't want!

Probable causes:

1. Java: not only is your behind the most current version of v6u13, but you have not uninstalled any of the previous versions. Each of these present a security risk.
2. Many infections were in the following files:
My Games ,:
"cybercriminals are designing malware to steal logins for online game accounts."
http://www.symantec.com/norton/antivirus-gaming/articles/details.jsp?aid=article_9

3. tsDeductible2005: out of date TurboTax
4. Lack of security protection.
5. Unsafe surfing.
.

Win32riller

This is a per-process memory resident parasitic high-polymorphic Win32 virus. The virus infects PE EXE files that have .EXE, .SCR, and .CPL filename extensions. When run, the virus infects these files in current Windows and Windows system directories.

The virus also stays in the system memory as a component of the infected host program, gains access to KERNEL functions and intercepts 15 of them: file searching, opening, copying, moving functions, etc. When a PE EXE file is accessed by these functions, the virus infects it. As a result, the virus will infect all PE EXE programs that are accessed by the infected host program, and the virus will be active until the moment the host program exits.

While infecting a file, the virus encrypts its 8K code and is stored at the end of the file. Then the virus reads 8K of the victim file code, encrypts it and is also saved at the end of the file. That "cave" then is filled with virus polymorphic code that decrypts the main virus code and passes control there:

Win32:Vitro:
1. A new *hardcore* file infector from the authors of Virut..
The Virut family of viruses uses polymorphism to hide from all anti-virus protection, it infects executable files. File infection makes it very hard to repair a system that has been infected. W32/Vitro injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.

So virut will attach to an important system file that is used for a plethora of things, and so creates room for the virus as it pleases so-to-say, because almost every program makes use of these system-APIs. Also the virus scanner itself is not immune from it....
Scanning from another computer is not a very bright thing to do either in case of a file-injector involved seen to re-infection, the only sensible thing to do in such a case is using a PE CD.
The virus only injects when it is active, but an autorun is also enough to infect.
Best policy is preventing infection by running fully updated and patched Windows and third party software, and to use in browser security like Firefox with NoScript installed. Malcreants at the moment will use every weakness in IE browsers known for spreading their drive-by-malware-infectors.....and one ounce of prevention is worth 10 kg of cleansing after the fact....

 

[plasma dragon00]

lol at "prize for most infected files ive ever seen". i was quite amazed as well, and thats JUST the avast log. it also found about 20 things during the initial memory scan, bit defender online found 33 (couldnt run trend micro house call), spybot SD found 498 items (combination of malware, spyware, adware, PUPS, and trojans) and who KNOWS what else was there.

so yeah, im considering this done, im just nuking the hard drive with dban. one thing, just out of curiosity, is when you put the quote of Win32: Driller, it keeps saying "PE EXE files" what does the PE in that mean?

and, the award isnt linked to me directly... im just the guy who fixes it lol =P

well thanks for the help, as well as the definition on some of these viruses bobbye ^_^

EDIT! - one last big thing, i hooked a 512 flash drive to her pc to try to install antiviruses to it, and then i hooked it back into mine to copy more things to it. i scanned it when i plugged it into mine first, avira (though im now using avast free) found 3 viruses, one in the mbam installer, spybot installer, and the avira installer. i thought they were false positives, the thing said it was exhibiting behaviors of malware (i think). what is the risk that a virus copied off of her pc to mine through the flash drive? i also plugged it in on windows 7 to install dban to it, avira scan found nothing. i run the windows 7 drive in the same case as my xp drive, hooked up at the same time. if, say, 7 got infected, would/could it copy to my xp drive? an avast boot time scan (running from xp, scanned both drives) showed completely clean. i have no problem formatting my 7 drive, would prefer not to format my xp drive if i dont have to, but its getting RMA'ed to seagate soon anyway.

then, what about the viruses copying to my data driv (separate 1tb drives, also hooked up at same time)? is it safe to play WoW? OH the inhumanity, the confusion, the question.

if you could assist me with my paranoia on the mentioned topics, i would be very appreciative.

 

[Bobbye]

PE EXE files = Portable Executable: http://en.wikipedia.org/wiki/Portable_Executable

i hooked a 512 flash drive to her pc to try to install antiviruses to it, and then i hooked it back into mine to copy more things to it

http://www.vnunet.com/vnunet/news/2231002/alarms-sounded-flash-drive

 

[plasma dragon00]

bobbye, i feel like im asking a lot, but would you mind helping me make sure my computer is clean by me following the removal steps?

 

[kimsland]

What re-partitioning (basically formatting) and starting a fresh install?

Well that's pretty easy, did you need a guide for that?


Microsoft's Windows XP Professional Repair Install step by step (* Including Delete Partition)
http://www.windowsxpprofessional.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

Microsoft's Windows XP Home Repair Install step by step (* Including Delete Partition)
http://www.windowsxphome.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

Vista Repair:
http://www.windowsreinstall.com/winvista/index.htm (index page)
http://vistahomepremium.windowsreinstall.com/repairstartup/repairstartup.htm (guide)

* Warning deleting the Partition will remove all User data and Windows system files

 

[Bobbye]

The steps for Virus and Malware Removal are HERE

Follow the steps- they are well set out. Then attach the 3 logs and I'll review them. I can't do much until I see what's on the system. Be SURE to check the lines in Malwarebytes and SuperAntispyware to remove what is found. Don't attempt to remove anything in HijackThis. Most of the entries are legit- I'll tell you which need to go.

If the amont of the infection is anything as bas as in Post #4, I doubt we'll be able to clean it.

This thread is for the use of plasma dragon00 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.


EDIT: kimsland, we were posting at the same time! Your's wasn't there when I started.

 

[plasma dragon00]

here they are, thanks for the help

 

[plasma dragon00]

was playing WoW, and it randomly exited, no error message or crash report, nothing.

may have to do with my new mouse, just a coincidence, but, ya never know. any ideas?

 

[Bobbye]

We'll be stopping here.TechSpot does not help users with pirated software:

C:\PROGRAM FILES\STARDOCK\OBJECTDOCK\KEYGEN.EXE
C:\RECYCLER\S-1-5-21-1085031214-1078081533-839522115-1004\DC1\STARDOCK OBJECTDOCK PLUS V1.90.535U\FIXED PATCH\KEYGEN.EXE

Pirated software is defined as the illegal exchange of software via the Internet for purposes of avoiding the purchase of said software by the individuals involved. The exportation of software or technical information in violation of US export control laws is also prohibited.

 

[plasma dragon00]

those actually belong to my sibling who uses my computer when i dont, would you consider helping me if i uninstalled the program?

 

[DelJo63]

If you would

1. create a new login for each user
2. make them all Limit Accounts with passwords
3. you would have avoided 90% of this corruption

NEVER go online with the Admin account!

I'm sure you've experienced enough pain to alter your next system appropriately