Windows won't start up! Please help!

My computer totally won't start up. I recently got rid of a bunch of viruses, spyware, etc... Now when I log on, my desktop background shows up, but nothing else. I can't start anything, including the task manager. When I try to log on to safe mode, it lets me click on my account, but then it says: ntos.exe has encountered a problem and needs to close. I don't have the windows installation disk because the version was quite old and now Microsoft says it's not valid. I tried to use Norton Recovery Tool, but all it showed was a vista-like loading screen, and then freezes. I have service pack 1, i had Malaware Bytes, a-squared, Spybot, and avast installed. Any tips, or is my computer ruined?

If you cannot bootup in normal or safe mode as a result of a malware infection, then your options are limited. You may be able to use a Windows XP bootable Floppy Disk to boot from a diskette instead of your hard drive. If your hard drive's boot sector or Windows' basic boot files have been corrupted, this disk will circumvent the problem and boot you into Windows. If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP but there's no guarantee that it will boot your machine.

• Resolving Boot Issues with a Boot Floppy Disk.
• How to obtain Windows XP Setup boot disks" and select the download that's appropriate for your Operating System. The Setup boot disks are available so that you can run the Setup program on computers that cannot use a bootable CD-ROM.

Another option is to create a Bootable CD:

• How To Boot your Computer from a Bootable CD or DVD
• How to Create a Bootable Windows XP Setup Disk on a Preinstalled/Preloaded Windows System
• Bart's way to create bootable CD-Roms, Bart's Preinstalled Environment (BartPE)
• Making a bootable Windows 2000 CD
• Making a Bootable Windows 2000 CD with Service Pack integrated

These are links to Antivirus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

• Avira AntiVir Rescue System - Avira's download page.
  If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Tools Support Forum.
• Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
• BitDefender LiveCD - Index of /rescue_cd
• Kaspersky RescueDisk - Index of /devbuilds/RescueDisk/
• F-Secure Rescue CD - Rescue CD 3.01 released.
• Video showing How to Remove Malware with F-Secure Rescue CD

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Sorry for my late reply. I tried Bitdefender, and it said, "Could not find KNOPPIX file system,sorry. Dropping you to a very limited shell." Next, I tried Kapersky. After a few screens, it just showed a blank screen and nothing happened. I managed to get Antivir to scan, but at the end it said:

Objects Found: 7998 ( )
Warnings: 5
Repaired: 0
Deleted: 0
Quarantined: 0

It didn't seem to remove anything. I noticed that all of the viruses were either Win32:Vitro ,or, something like HTML iframe. Do you think I should try this? Link

Win32:Vitro is another name for the Win32:Virut family of malware.

Virut / Virux, are polymorphic file infectors with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

• miekiemoes' Blog on Virut.
• Virut and other File infectors - Throwing in the Towel?

This kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Is there ANY way to fix this? I have some very important info on there. Could I try to boot the hard drive from another computer that is secure? Or will that just infect the clean computer? I never used any banking, or anything on there. Can any of the programs you listed earlier disinfect it just enough, so I can recover my files? Is there any other way to save the files? I never backed it up.

Edited by sidorak95, 06 May 2009 - 04:29 PM.

If your system is damaged to the point where it no longer will boot and you need to reformat and perform a clean install, but want to salvage you data, another option is to remove the infected hard drive and install a new one. Then you can configure the old hard drive as a "slave". That way you should be able to access it and salvage some of your data files. For instructions on how to do this, see:

• Illustrated How to Replace a Hard Drive
• Guide to Installing a Hard Drive
• Video: How to Install an Additional Hard Drive
• How to Change the Master/Slave Designation on a Hard Drive
• Data Recovery Tutorial: How to Slave a Hard Drive

Keep in mind, with a Virut infection, there is a chance you will infect the new hard drive. You can salvage your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. Do not attempt reovery of any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid recovering compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files.

If you need additional assistance with this, you can start a new topic in the Hardware forum where other members can help you through the process.

I found this, do you think this will work?

I found this remover by AVG, do you think it will work with KNOPPIX 5.01?

Thanks

Virut is easy to remove, but then all the infected files will be permanently deleted. I recommend trying the DrWeb Live Cd, as DrWeb has cured virut infections for me in the past.

You can try the AVG Win32/Virut Remover. It was last updated in August 2008 and is not always effective for the reasons I indicated above. However, even the instructions provided by AVG say the tool will try to heal the infected files. That is not the same as quarantee.

There are various rescue disks available from major anti-virus vendors which you can try. However, even the Kaspersky Techs say there is no quarantee that some files won't get corrupted through the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair/remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Thanks for your input. I'm gonna see if the Dr. Web Live CD will work.

Ok, I added the infected hard drive to a clean computer as the secondary hard drive. The clean computer has: Norton Antivirus 2009, Spybot Search and Destroy, Malaware Bytes Anti-Malaware, a-squared Free, Spyware Terminator, Spyware Blaster, and Superantispyware Free. I ran Malaware Bytes in safe mode, it detected 25 items. I'll post the log after I reboot into safe mode and get it off the Administrator account's desktop. I ran Spyware Terminator, 5 items found. It removed one, and then said couldn't find the files for the other 4. Ran Superantispyware, found either 6 or 7 items, all removed. I'll post the log later. Ran spybot, nothing found. I ran Norton, detected alot of items. Here's a list:

Packed.Generic.200(1) - Removed
Infostealer.Gampass(1) - Removed
W32.Virut.CF(14) - Removed
Trojan.Maliframe!html(29) - Removed
W32.Spamuzle.D(1) - Removed
Trojan.Neprodoor!inf(1) - Removed

Any further suggestions? I haven't tried booting from the hard drive yet.

SUPERAntispyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/10/2009 at 07:13 PM

Application Version : 4.26.1002

Core Rules Database Version : 3843
Trace Rules Database Version: 1798

Scan type : Complete Scan
Total Scan Time : 02:11:33

Memory items scanned : 289
Memory threats detected : 0
Registry items scanned : 4979
Registry threats detected : 0
File items scanned : 53649
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Allen\Cookies\allen@traffic.uusee[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@kontera[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
D:\Documents and Settings\Grace\Cookies\grace@adbrite[1].txt
D:\Documents and Settings\Grace\Cookies\grace@atdmt[2].txt
D:\Documents and Settings\Grace\Cookies\grace@ad.yieldmanager[2].txt
D:\Documents and Settings\Grace\Cookies\grace@kontera[2].txt
D:\Documents and Settings\Grace\Cookies\grace@doubleclick[1].txt
D:\Documents and Settings\Grace\Cookies\grace@tribalfusion[1].txt
D:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
D:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt
E:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt

Trojan.Smitfraud Variant-Gen/Bensorty
D:\SYSTEM VOLUME INFORMATION\_RESTORE{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0027865.DLL
D:\WINDOWS\SYSTEM32\SDRGFCVBF.DLL

Trojan.Downloader-NTOS/WSNPOEM
D:\WINDOWS\SYSTEM32\NTOS.EXE

Trojan.Agent/Gen-XCC
D:\WINDOWS\XCCDF16_090305A.DLL

Adware.Vundo/Variant-WPF
D:\WINDOWS\XCCDF32_090305A.DLL

Trojan.Unclassified/Loader-Suspicious
F:\DXC\27.10 PLATINUM\PLATINUM FIX\LOADER.EXE
G:\DXC\27.10 PLATINUM\PLATINUM FIX\LOADER.EXE


Spyware Terminator Log:

Logfile of Spyware Terminator v2.5.6.316 (db:3.005.007.000)
Scan Time: 5/10/2009 7:00:28 PM length: 2024 s
Platform: WXP (5.1.0.2600)
User: Admin
Boot Mode: Safe
Scan type: Full_Spyware_Scan
Scanned Objects: 80396 (Critical:5)
Filter: No System items, No Safe items, No Invalid items

Running Processes
Navw32.exe [Symantec Corporation] : C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\Navw32.exe

Internet Settings
R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =
R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =

BHO
02 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - [Ask.com] : C:\Program Files\AskBarDis\bar\bin\askBar.dll
02 - BHO: KeyScramblerBHO Class - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - [QFX Software Corporation] : C:\Program Files\KeyScrambler\KeyScramblerIE.dll
02 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - [RealPlayer] : C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
02 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - [Symantec Corporation] : C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
02 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - [Sun Microsystems, Inc.] : C:\Program Files\Java\jre6\bin\jp2ssv.dll
02 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - [Sun Microsystems, Inc.] : C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

Toolbars
03 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - [Ask.com] : C:\Program Files\AskBarDis\bar\bin\askBar.dll

StartUps
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SnoopFreeUI : [SnoopFree Software] : C:\WINDOWS\SnoopFreeUI.exe

Shell Extensions
Web Sites - {AB4F43CA-ADCD-4384-B9AF-3CECEA7D6544} - [Microsoft Corporation] : C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\FPNSE.DLL
WinZip - {E0D79304-84BE-11CE-9641-444553540000} - [WinZip Computing, S.L.] : C:\Program Files\WinZip\wzshlstb.dll
WinZip - {E0D79305-84BE-11CE-9641-444553540000} - [WinZip Computing, S.L.] : C:\Program Files\WinZip\wzshlstb.dll
WinZip - {E0D79306-84BE-11CE-9641-444553540000} - [WinZip Computing, S.L.] : C:\Program Files\WinZip\wzshlstb.dll
WinZip - {E0D79307-84BE-11CE-9641-444553540000} - [WinZip Computing, S.L.] : C:\Program Files\WinZip\wzshlstb.dll
RealOne Player Context Menu Class - {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - [RealNetworks, Inc.] : C:\Program Files\Real\RealPlayer\rpshell.dll
Desktop Explorer - {1CDB2949-8F65-4355-8456-263E7C208A5D} - [NVIDIA Corporation] : C:\WINDOWS\system32\nvshell.dll
- {1E9B04FB-F9E5-4718-997B-B8DA88302A47} - [NVIDIA Corporation] : C:\WINDOWS\system32\nvshell.dll
nView Desktop Context Menu - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} - [NVIDIA Corporation] : C:\WINDOWS\system32\nvshell.dll
TuneUp Theme Extension - {44440D00-FF19-4AFC-B765-9A0970567D97} - [TuneUp Software GmbH] : C:\WINDOWS\system32\uxtuneup.dll

Protocol Handler
AsyncPProt Class - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - [Microsoft Corporation] : C:\WINDOWS\system32\Msdxm6.ocx

Services
23 - [QFX Software Corporation] : C:\WINDOWS\system32\drivers\keyscrambler.sys
23 - : C:\WINDOWS\system32\Drivers\SnopFree.sys
23 - [Symantec Corporation] : C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMEFA.SYS

Threat Files
<Trojan.Crypt.ZPACK.Gen> : d:\Documents and Settings\Grace\reader_s.exe
<Trojan.Spy.Pophot.hdd> : d:\WINDOWS\xccdf16_090305a.dll
<Worm.Pinit.bz> : d:\WINDOWS\system32\1C.tmp
<Trojan.Spy.Pophot.hdd> : d:\WINDOWS\system32\inf\xccdfb16_090305.dll
<Trojan.Downloader.FraudLoad.vqzq> : d:\WINDOWS\Temp\BN2.tmp

Advanced Files Report
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\NavShExt.dll [Symantec Corporation] [Symantec Shared Component] MD5=A5DEC313D486D363C3BD5FF7948AC23B SIZE=269680
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\ccL80U.dll [Symantec Corporation] [Symantec Security Technologies] MD5=7307267DDDBC6F3B47B78ABF8B2B9313 SIZE=523624
%PROGRAMFILES%\WinZip\wzshlstb.dll [WinZip Computing, S.L.] [WinZip] MD5=6568B043297BE8CCBD653A56499E521B SIZE=11104
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\Navw32.exe [Symantec Corporation] [Symantec Shared Component] MD5=5B8E7412BDD564542A8594A3DB21CBD7 SIZE=135536
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\ccVrTrst.dll [Symantec Corporation] [Symantec Security Technologies] MD5=330870DECA9AFDC486075DF0F44B4E25 SIZE=80744
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\EFACli.dll [Symantec Corporation] [EFA] MD5=5BA6C977C59CA6C2E85CE3DC752EEFC2 SIZE=42856
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\avScanUI.dll [Symantec Corporation] [Symantec Shared Component] MD5=E48CC815569B6B25BDF544224CF30C06 SIZE=505712
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\AVIfc.dll [Symantec Corporation] [Symantec Shared Component] MD5=32D5CE6D98124772FF377ADC252EB989 SIZE=409968
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\AppMgr32.dll [Symantec Corporation] [Symantec Shared Component] MD5=60079BFD9891F5A147108022BB80C5C4 SIZE=268656
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\AVModule.dll [Symantec Corporation] [Symantec Shared Component] MD5=83DB86773E674FC687B0E0A4CC7AD06E SIZE=1061744
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\Srtsp32.dll [Symantec Corporation] [AutoProtect] MD5=3AEBF9427C832E8C8F430BF8418332DC SIZE=300408
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\ccIPC.dll [Symantec Corporation] [Symantec Security Technologies] MD5=4025A3B3ADA0DBFF7A4190AC6FE2B2B8 SIZE=147816
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\SYMHTML.DLL [Symantec Corporation] [SymHTML] MD5=E75C509B314543C974E00EF34158102F SIZE=1784152
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\ccScanw.dll [Symantec Corporation] [Symantec Security Technologies] MD5=C363D87771F935A42D94088D6605EF35 SIZE=328552
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\ecmldr32.DLL [Symantec Corporation] [ECOM Loader] MD5=67F5A45225F4A322E96CEE25825A512D SIZE=42864
%ALLUSERS_APPDATA%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090510.003\ecmsvr32.dll [Symantec Corporation] [ECOM Server] MD5=5A606338E6AB1532C9F124E79401235B SIZE=259368
%ALLUSERS_APPDATA%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090510.003\NAVEX32a.DLL [Symantec Corporation] [Symantec Antivirus Engine] MD5=D4A356DDC1566FC6AC3901AF59343943 SIZE=1181040
%ALLUSERS_APPDATA%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090510.003\NAVENG32.DLL [Symantec Corporation] [Symantec Antivirus Engine] MD5=B837604F9058492659D3EFEFD4CDE576 SIZE=177520
%ALLUSERS_APPDATA%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090510.003\ccEraser.dll [Symantec Corporation] [ERASER ENGINE] MD5=D94A420EBE656E8E6267B0E4CE396A1F SIZE=2414128
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\msl.dll [Symantec Corporation] [Symantec Security Technologies] MD5=65EDED273D6E79666E68080E016101A2 SIZE=268648
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\AVExclu.dll [Symantec Corporation] [Symantec Shared Component] MD5=98C12803C480DE82514407EA653A60F7 SIZE=122736
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\dec_abi.dll [Symantec Corporation] [Symantec Decomposer Component] MD5=1DCA720B7CD97DEB07FD9F7E1DCB4C9E SIZE=2106720
%PROGRAMFILES%\Norton AntiVirus\Engine\16.5.0.134\QBackup.dll [Symantec Corporation] [Symantec Shared Component] MD5=0824409AF6DEABA61515F8BAB582C344 SIZE=110960
%APPDATA%\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL MD5=11AB72D5D603DB401C190B454FB935A7 SIZE=117760
deskpan.dll
%COMMONFILES%\Microsoft Shared\web server extensions\12\BIN\FPNSE.DLL [Microsoft Corporation] [2007 Microsoft Office system] MD5=3D83D16D00FCEDCB6FD1A60139E06590 SIZE=421264
%PROGRAMFILES%\Real\RealPlayer\rpshell.dll [RealNetworks, Inc.] [RealPlayer] MD5=E56ADA1922D173913EF98470FC4788DF SIZE=63016
%SYSDIR%\nvshell.dll [NVIDIA Corporation] [NVIDIA Desktop Explorer, Version 111.75] MD5=70BDDEE1D46FC4E98AD76A4B4EBE63FF SIZE=466944
%SYSDIR%\uxtuneup.dll [TuneUp Software GmbH] [TuneUp Utilities] MD5=838C97B3D28BFEBDD11D12ADFE957004 SIZE=28416
%SYSDIR%\svchost.exe -k netsvcs
%SYSDIR%\svchost -k DcomLaunch
%SYSDIR%\svchost.exe -k NetworkService
%SYSDIR%\drivers\keyscrambler.sys [QFX Software Corporation] [KeyScrambler ®] MD5=53D9BD8BDF06D7E5FA2DAB25AFB659B0 SIZE=114024
%SYSDIR%\svchost.exe -k LocalService
%SYSDIR%\svchost -k rpcss
%SYSDIR%\Drivers\SnopFree.sys MD5=21EA9DC8FBE1236051832ABB5254226F SIZE=9472
%SYSDIR%\drivers\NAV\1005000.086\SYMEFA.SYS [Symantec Corporation] [EFA] MD5=D0403502B507878AA57A79E45B7DFE40 SIZE=310320
%SYSDIR%\Msdxm6.ocx [Microsoft Corporation] [DirectShow] MD5=C8DDFF02594C4A0C4C7C60DF8981E256 SIZE=844048
%SYSDIR%\\Drivers\keyscrambler.sys [QFX Software Corporation] [KeyScrambler ®] MD5=53D9BD8BDF06D7E5FA2DAB25AFB659B0 SIZE=114024

End of Report

Malaware Bytes Anti Malaware Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2105
Windows 5.1.2600 Service Pack 3

5/10/2009 5:50:03 PM
mbam-log-2009-05-10 (17-50-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 361915
Time elapsed: 1 hour(s), 11 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0023845.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0025863.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0026864.sys (Backdoor.IEBooot) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0026865.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0026866.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0026867.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0027863.sys (Backdoor.IEBooot) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{99C74EC4-8220-44C6-8A2E-B2D79F7AC498}\RP37\A0027864.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\UACkwfchxwbdmauvre.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\UACqpfyehwfjpfaptw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\UACrxlxyqxgkbmoqmx.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\UACycbruiordelmfqw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YCGMPVCQ\Installer[1].exe (Rogue.CoreguardSoftware) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\VRT1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

EDIT: Ran Malaware again, didn't get to complete the scan, but here's the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2112
Windows 5.1.2600 Service Pack 3

5/11/2009 9:16:19 PM
mbam-log-2009-05-11 (21-16-19).txt

Scan type: Full Scan (D:\|E:\|F:\|G:\|)
Objects scanned: 57024
Time elapsed: 57 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Documents and Settings\Grace\Local Settings\Temporary Internet Files\Content.IE5\L78CDHO7\cs[1].htm (Trojan.Backdoor) -> Quarantined and deleted successfully.
D:\Documents and Settings\Grace\Local Settings\Temporary Internet Files\Content.IE5\L78CDHO7\cs[2].htm (Trojan.Backdoor) -> Quarantined and deleted successfully.
D:\Documents and Settings\Grace\Local Settings\Temporary Internet Files\Content.IE5\YHX1EC7H\abb[1].txt (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Grace\Local Settings\Temporary Internet Files\Content.IE5\YHX1EC7H\abb[2].txt (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by sidorak95, 11 May 2009 - 09:18 PM.

One or more of the identified infections was related to a rootkit component and another was a backdoor Trojan. Backdoor Trojans, rootkits, Botnets and IRCBots are very dangerous because they compromise system integrity] by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

• Danger: Remote Access Trojans
• What danger is presented by rootkits?
• Rootkits and how to combat them
• r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

Although the infection was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. Further, with so much infection, the malware may leave so many remnants behind that security tools cannot find them.

Combining all this malware with the Virut infection, my advice is to wipe the drive clean, reformat and reinstall the OS as I already recommended.

Edited by quietman7, 12 May 2009 - 08:33 AM.

Yeah, I think I'll do that. Is there any way I can salvage some data? I've connected the hard drive as a secondary on a clean computer, and when I try to access the files, It tells me that Access is denied. Can I bypass this, or do I have to be on the correct computer?

EDIT: Would I have to change the router password, even if I haven't logged on from the infected computer?

Edited by sidorak95, 12 May 2009 - 04:48 PM.

Anytime your system becomes infected its best practice to change all passwords to include your router.

With Virut infections there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forwarded that you may have to start over again afterwards if reinfected. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.