BleepingComputer.com: inexperienced computer user

hi everyone , sorry have a slight problem , which is my own fault , right im running avg and this detected several mallware and viruses . ive got them under control as far as i can now use my computer and the internet again , but as far as any websites that are official security companies on the net including microsoft i can get into , my ei7 just says unavaliable site . anythoughts please would be greatfully recieved...

Welcome to BC... Let's get an MBAM log.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

hi thanks for getting back to me . well eventually i managed to do as you said as explorer wouldnt let me download what i needed . but eventually got there . well the log you asked for is now done , intresting but frightning reading .. hope you will be able to advise me further as to the best course of action .....
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

7/6/2009 12:31:54 PM
mbam-log-2009-07-06 (12-31-54).txt

Scan type: Quick Scan
Objects scanned: 78640
Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 24

Memory Processes Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\STEVE\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d9c9a8c9-460d-4343-888e-ae02bcc3ce57} (Adware.SpeedApps) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d9c9a8c9-460d-4343-888e-ae02bcc3ce57} (Adware.SpeedApps) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35cfe9b1-81c2-4d01-a350-a759292ad7fc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Speedapps (Adware.Speedapps) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Speedapps (Adware.Speedapps) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d9c9a8c9-460d-4343-888e-ae02bcc3ce57} (Adware.SpeedApps) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{d9c9a8c9-460d-4343-888e-ae02bcc3ce57} (Adware.SpeedApps) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\speedapps (Adware.SpeedApps) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\STEVE\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\speedapps\tbspee.dll (Adware.SpeedApps) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Program Files\speedapps\tbspee.zip (Adware.SpeedApps) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM734e5e41.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM734e5e41.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

im now not touching anything until i here back from you ... best wishes for the day , and thankyou sooo much again .....

Sorry to butt in but you are fighting a lost cause with this infection, you have virut.

The sooner you turn off that computer the better, use another to read up on the infection.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. URL=http://blog.trendmicro.com/virux-cases-escalate/]Virux[/URL] is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

Quote

McAfee Risk Assessment and Overview of W32/Virut

Quote

AVG Overview of W32/Virut

• miekiemoes' Blog on Virut.
  
• Virut and other File infectors - Throwing in the Towel?

This kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Quote

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do

There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Where to draw the line? When to recommend a format and reinstall?

i cant turn of my computer as it is contolling my cctv .. thanks for the honest but gloomy answer though . so where from here if anywhere , can it be repaired or do i just have to grin and bear it till it dies ????????

It would be a lot less trouble to wipe the computer and reinstall, if you don't read about the infection you may end up doing the reinstall several times.

Hopefully you have saved videos on a seperate partition

most of music and dvds and security vidios are all on the d drive . . the one thing i dont yet know is if i burn these to disk if i will take the virus with them ... the other question is about my security software .. its not avaliable very easy and can i save that from my system also ... loads of questions . sorry to be such an idiot when it comes to computers ....

Music and video are not infected by virut but should be scanned by a good antivirus for other infections.

Software will be infected and cannot be saved.

well im taking your advice and reading up on it . ive now learnt which parts are virus and which are false ids .. gonna give norman malware cleaner ago . and run it the same time as malware bytes . see what we come up with now . thankyou sooo much for the help and advice you have given ....

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

• Avira AntiVir Rescue System - Tutorial for Avira Rescue CD.
  If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.
  
• Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
  
• F-Secure Rescue CD - Rescue CD 3.01 released.
  Video: How to Remove Malware with F-Secure Rescue CD
  If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.
  
• BitDefender LiveCD - Index of /rescue_cd
  If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.
  
• Kaspersky RescueDisk - Index of /devbuilds/RescueDisk/
  If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

its not so much an insistance but more of a nicesety for me at the mo as i said before i have a shop which the computer runs the cctv for and while that is still working its a must for me .. to be without cctv for a week here is just not an option (its a jewellery shop) . so im not trying to remove the problems but just limit them .. and try and get through the rest of the summer season . a rebuild then can happen in the winter months . the other problem is that im english and living in turkey and had this system custom built .. but i reallly do thankyou for your excellent help and advice .. if you have any further sugestions im always gratefull ..

after thinking about it . you are right . im going for the rebuild approach ,please if you dont mind i have a couple of more questions . i thought of trying out the xp black version , are there any programs i can download to sort out the problem of missing drivers i will undoubtably have . i do have some of the origional disks for asus and hp but as im only very very average at this wondering if you have any further helpfull hints please .. and ty for your time once again . its appreciated.....

Hi donkeyboy, You should now ask those questions from a new topic in the XP forum, so the OS people can answer you better than I.

ok thnaks for the tip . have a nice day .....