Pretty bad

ammexico

My uncles comp got something pretty nasty. Whatever it is it wont let me run a Spybot S&D scan, it shuts down the DHCP, and disabled the Task Manager. It did run HJT, and it doesn't look pretty. Halp pls?

ammexico

The logfile is way too long to try and post here which is why I have it attached. I hope thats ok. Most of it is just repetitions though.

Trogan

Hi,

The computer is in a bit of a mess. Let's see how much we can clean.

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

• Double-click ATF Cleaner.exe to open it.
• Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache

*The other boxes are optional*
Then click the Empty Selected button

Click Exit on the Main menu to close the program.

2. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log in your next reply

3. Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

4. I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

5. Please post the following...

SDFix report
Malwarebytes log
Uninstall list
New HijackThis log

ammexico

Sorry was out of touch for the weekend, Ill get the reports up ASAP. thanks.

ammexico

I tried transferring the programs using a flash drive as its impossible to do much on the infected computer. The only program that ran was ATF cleaner and even then it would hang for a few minutes. The other two programs wouldnt run at all, after I double clicked the icon the hourglass would appear next the cursor for a few seconds and nothing would happen. It keeps trying to load onlinenotify .net and when I plugged the flash drive back into my computer it said that ATF cleaner (the only program that ran) was infected by a virus PE_VIRUX.C-1.

Trogan

Hi,

I have some bad news! I have just noted that your HijackThis log shows you have a variant of the Virut infection, amongst others, but Virus is the worst.

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, an expert for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows:

http://web.mit.edu/ist/products/winxp/advanced/reinstall-format.html