Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pc totally messed up....winlog.exe, virut,etc...


  • This topic is locked This topic is locked
7 replies to this topic

#1 jon2

jon2

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 03 June 2009 - 11:49 PM

Yesterday i downloaded pctools spyware doctor starter edition with google pack and pctools antivirus but suddenly an error occured after rebooting , my pc don't startup so i restore it to last known good configuration but everything seems not ok...Slow startup, minimal running services, can't get my network adapter acquire connection and can't uninstall google update...I'm planning to do also a complete reformat...

my network seems acquiring for connection forever but can't connect ...it cycles and cycles but not blinking
my program works well but it take century before going to desktop...i can't uninstall google pack...I'm now running spyware doctor

all my drivers like sound keep on uninstalling ...i can't open my windows firewall saying some associated service not running...i tried to uninstall the drivers and after restarting it worked but after restarting again back to my problem again...My network connection uninstalled Qos packet scheduler i don't know why it is missing...What i remember is that the moment i am downloading google pack, i got disconnected...then my pc hang up...i can't cancel the installation (the google earth ) i had installed google desktop,photoscreensaver (but blocked by threatfire). I also downloaded and installed pctools antivirus and updated it but i think this is the root of the problem, it started to hang up and disconnected...Then after restarting, no sounds, the network icon keeps on cycling and says acquiring for network but never been connected ... I tried to uninstall google pack but i received an error...My big problem is I can't get my cdrom to work because I'm planning to reformat now since I don't have any documents to back up(bec. I already did it before)...My pc is running faster now because I don't have any installed programs and antivirus..It uses only 145 Mb but the startup is slow and no sounds...I already manually updated sp3 but can't fix it...

i don't have 2 antivirus i'm trying them one by one which one will catch more bec. i'm suspecting my pc to be infected...it's been 2 years since i last reformatted my pc coz my cdrom broke...i uninstalled them...i try to fix it by combofix because i have no choice coz i can't install any program and can't run firewall even windows firewall and other security program but combofix fixed my problem...but now after 2 days i have my problem back.. i already installed superantispyware, avira, malwarebytes and comodo...then they catched over 60 infections....superantispyware catched trojan hugipon and unknown trojan...i can't remember what malwarebytes catched i will rescan again...avira catched adspy spatch... my wallpaper constantly changing to something black
like before...i don't know why i got this i had just had received update for my windows...

maybe i have infected files that triggered the infection to run again because i backed them up copied to newly formatted usb...i remember having infected by winlog.exe,,,,explorer.exe(infected), virut / sality virus and other generic trojan clicker..i disabled all autoruns but maybe triggered to run the infection again after accessing the backup files or while copying it

i tried sfc /scannow and some xp files are missing and needs cd....i don't have cdrom in my pc #1...I'm also suspecting my pc #2 to contain my infected files transferred from pc #1

does it mean that my other computer may be infected also coz i transferred my files into it...should i separately post the scan for the 2 machines? or a clean reformat will do?

how if all my gazillion files are infected how can i save them? Is it possible for a picture, doc, avi's or movies, pdf, html,etc...to be infected and cannot be seen in any other scanner because previously i have consulted here in bc and one guy said that there's no other solution in removing sality other than reformatting and don't backup exe's and html's...but i'm worried about my ebooks and documents...

before using combofix my clock constantly change and my wallpaper disappears i can't connect to internet and can't update or maybe receive fake updates because it's weird that malwarebytes don't catch anything including superantispyware...but after running combofix i reinstalled them again and run normally.It' also weird that my browser has not been hijacked coz i got to this site...

sorry for long post...need help pls!

BC AdBot (Login to Remove)

 


#2 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 03 June 2009 - 11:51 PM

my pc #2 is 64 bit and can't run combofix and dds and any other security program life firewall, i've been amazed by defensewall online armor and even kerio but can't install ...i'm using my pc#2 now coz my pc# 1 is not safe to use for now

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:12 PM

Posted 04 June 2009 - 08:36 PM

my pc #2 is 64 bit and can't run combofix and dds

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
--------------------------------------------


there's no other solution in removing sality other than reformatting and don't backup exe's and html's...


This is correct
USB drives, everything
You should not back up anything
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 06 June 2009 - 02:07 PM

Yesterday i downloaded pctools spyware doctor starter edition with google pack and pctools antivirus but suddenly an error occured after rebooting , my pc don't startup so i restore it to last known good configuration but everything seems not ok...Slow startup, minimal running services, can't get my network adapter acquire connection and can't uninstall google update...I'm planning to do also a complete reformat...

my network seems acquiring for connection forever but can't connect ...it cycles and cycles but not blinking
my program works well but it take century before going to desktop...i can't uninstall google pack...I'm now running spyware doctor

all my drivers like sound keep on uninstalling ...i can't open my windows firewall saying some associated service not running...i tried to uninstall the drivers and after restarting it worked but after restarting again back to my problem again...My network connection uninstalled Qos packet scheduler i don't know why it is missing...What i remember is that the moment i am downloading google pack, i got disconnected...then my pc hang up...i can't cancel the installation (the google earth ) i had installed google desktop,photoscreensaver (but blocked by threatfire). I also downloaded and installed pctools antivirus and updated it but i think this is the root of the problem, it started to hang up and disconnected...Then after restarting, no sounds, the network icon keeps on cycling and says acquiring for network but never been connected ... I tried to uninstall google pack but i received an error...My big problem is I can't get my cdrom to work because I'm planning to reformat now since I don't have any documents to back up(bec. I already did it before)...My pc is running faster now because I don't have any installed programs and antivirus..It uses only 145 Mb but the startup is slow and no sounds...I already manually updated sp3 but can't fix it...

i don't have 2 antivirus i'm trying them one by one which one will catch more bec. i'm suspecting my pc to be infected...it's been 2 years since i last reformatted my pc coz my cdrom broke...i uninstalled them...i try to fix it by combofix because i have no choice coz i can't install any program and can't run firewall even windows firewall and other security program but combofix fixed my problem...but now after 2 days i have my problem back.. i already installed superantispyware, avira, malwarebytes and comodo...then they catched over 60 infections....superantispyware catched trojan hugipon and unknown trojan...i can't remember what malwarebytes catched i will rescan again...avira catched adspy spatch... my wallpaper constantly changing to something black
like before...i don't know why i got this i had just had received update for my windows...

maybe i have infected files that triggered the infection to run again because i backed them up copied to newly formatted usb...i remember having infected by winlog.exe,,,,explorer.exe(infected), virut / sality virus and other generic trojan clicker..i disabled all autoruns but maybe triggered to run the infection again after accessing the backup files or while copying it

i tried sfc /scannow and some xp files are missing and needs cd....i don't have cdrom in my pc #1...I'm also suspecting my pc #2 to contain my infected files transferred from pc #1

does it mean that my other computer may be infected also coz i transferred my files into it...should i separately post the scan for the 2 machines? or a clean reformat will do?

how if all my gazillion files are infected how can i save them? Is it possible for a picture, doc, avi's or movies, pdf, html,etc...to be infected and cannot be seen in any other scanner because previously i have consulted here in bc and one guy said that there's no other solution in removing sality other than reformatting and don't backup exe's and html's...but i'm worried about my ebooks and documents...

before using combofix my clock constantly change and my wallpaper disappears i can't connect to internet and can't update or maybe receive fake updates because it's weird that malwarebytes don't catch anything including superantispyware...but after running combofix i reinstalled them again and run normally.It' also weird that my browser has not been hijacked coz i got to this site...

sorry for long post...need help pls!

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:12 PM

Posted 06 June 2009 - 02:27 PM

I merged the topic you made in the HiJack This forum with your topic here as you didn't post any logs.

I see that you have issues with two computers. If the one with 64 bit is not the one with the broken CD drive and is also the one that has not been diagnosed with either Virut or Sality, please follow the instructions for running RSIT that garmanma has posted. You need to post that log in your HJT topic.

As for the computer with the broken CD drive that has been infected with Sality and Virut, I'm afraid the only option for fixing this is a Reformat.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Now given that your CD drive is toast and that your computer doesn't support USB booting, another means will have to be found to reformat your computer. I don't know if there is a way of hooking up an external CD drive through a different kind of port on your computer. To find out, please post a topic concerning this in the Hardware forum. Be sure to include the following information in your post

Make, model and year of your computer and whether it is a laptop or desktop computer.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 07 June 2009 - 08:08 AM

i don't understand i posted a new topic in hjt section and attached the log file...

#7 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 07 June 2009 - 08:12 AM

my old pc is hitachi flora dp1 all in one pc...i googled on how to reformat using internal drive...i will format the other partition to fat32 then copy the window files in that then boot using boot disk...i have a working floppy...but i'm worried on step by step on how to wipe out the drive and not to access again the infection...what program will i use to securely delete the drive?

my other pc is 64 bit and can't run also rsit...it gives me an error

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:12 PM

Posted 07 June 2009 - 12:48 PM

i don't understand i posted a new topic in hjt section and attached the log file...


There was no log posted to that topic.

my old pc is hitachi flora dp1 all in one pc...i googled on how to reformat using internal drive...i will format the other partition to fat32 then copy the window files in that then boot using boot disk...i have a working floppy...but i'm worried on step by step on how to wipe out the drive and not to access again the infection...what program will i use to securely delete the drive?


That is a question to ask in the appropriate OS (Operating system) forum. They will need to know your OS and make and model of your computer. I'm not certain that you need to wipe the drive before reformatting, but it certainly wouldn't hurt.

my other pc is 64 bit and can't run also rsit...it gives me an error


I see that you have now been successful in running RSIT and have posted here: http://www.bleepingcomputer.com/forums/t/232221/computer-badly-infected/ I fervently hope that in your description in that topic that you haven't mixed up the two PC's. One PC per HJT topic. Since you are reformatting one computer, there is no point to posting a log for that computer there.

Please note: now that you have a log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users