Nasty virus attack – Impossible to clean my PC, Assistance Please

[cdestefani]

About 3 days my PC got infected with several viruses. This is what I have done so far:

First thing was to disconnect it from the internet.

Then I tried to start the PC in safe mode and it didn't boot. I forced the Safe Mode with the msconfig selecting in Boot.ini “SafeMode/Minimal” and it took me to a nonstop starting loop. It took me over a day to fix the boot.ini file and make it start again. The PC has an ASUS P5GC MX/1333 and I can't make it boot in safe mode.

With Windows XP SP3 in standard mode Avast and SpyBot were disabled,every time I want to run them a message says "they are not Win 32 applications". Malwarebites is the only antivirus that works and every time it runs find 2 or 3 registry keys and 4 or 5 infected files. I delete them all, but to delete some of them the PC must be reboot and in the process all of them are either not deleted or regenerated.

So I tried Avira Rescue CD with several files renamed, some of them in System Volume Information folder that I could not get access to delete them, the other were deleted but I could also see were regenerated.

Today I downloaded the DrWeb Rescue CD and attempted to clean it in the starting process but it stopped in the System Volume Information folder. I run it a few times I managed to stop it whenever I saw a virus (Trojan.StartPage) and restarted the scan hoping that will continue in the critical stop point without these files. But there were no differences.

I can't install HijackThis, it is blocked by the viruses.

So, from my understanding what I could do are two options:

Try to find another Rescue CDs and run them and eventually the PC may become clean or ask for some assistance in this forum.

Can anyone offer me some assistance with this nasty problem? I am lost, not knowing what is the best solution. I can't reformat the HD, I have a lot of data that I can't copy (too many GBs) and I can't afford to loss it.

Thanking you in advance,

Carlos
=

[CharleyO]

***

Hi Carlos -

Have you tried renaming HJT to something else?

Maybe CarlosThis? Will it install then?


***

[.: L' arc :.]

 Run some more rescue disks like Kaspersky Rescue CD and Norton Rescue Disk. Then after deleting some viruses, unplug your modem or halt any of your internet connectivity.

 Try to find a clean PC and put on your Flash disk. From there download all updates of your antivirus and antimalwares.
(1) Avast updates
(2) SUPERantiSpyware

 Then, copy all the updates to your Flash Disk and head over to your PC. Boot into Safe Mode and use the updates. Schedule an avast boot time scan.

NOTE: IF avast wont open, head over to C:\Program Files\Alwil Software\Avast4\ashAvast.exe and rename ashAvast.exe into undefined.exe.

 After the boot time scan, scan with MBAM and SuperAntiSpyware.

 Post a Hijack This log here afterwards.

[micky77]

.
Then I tried to start the PC in safe mode and it didn't boot. I forced the Safe Mode with the msconfig selecting in Boot.ini “SafeMode/Minimal” and it took me to a nonstop starting loop.

You should not use msconfig to start in safe mode on an infected pc.But I guess you know that now. Can you post as many of the infected files names and locations, especially from MBAM and the rescue disc.No need to post any that were found in system restore ( system volume info )

[cdestefani]

CharlyO

I tried to rename HijackThis, but when I double click to install it, the "HijackThis" comes up and does it.

I even tried to rename the "ashAvast.exe" for a boot scan, and Windows Explorer stopped working.

L'arc,

Rescue CDs, I donwloaded Kaspersky, but I can't update the virus database, it fails, any help? I downloded all the database available complete (~67MB), weekly (~2MB) and daily (400KB) and put it in a USB, but fails to update.Wrong data?

Norton Rescue CD is not for WinXP.

I downloaded F-Secure Rescue CD, but at the start the screen goes black and I stopped there after a couple of minutes.

I have two Rescue CDs left to try BitDefender and Avira, any comments?

I found that in those FTP sites there are iso and iso.md5 files, what are those? Which one do I need to download and burn?


Mickt77,

I run Mawarebytes' with database 2660 (8/19/2009) and found in a quick scan:

Worm.Bagle "Folder" in C\Documents and Settings\Carlos\Application Data\drivers\downld
Rootkit.Bagle "File"  in C\Documents and Settings\Carlos\Application Data\drivers\111wfs1intwq.sys
Rootkit.Bagle.KillAV "File"  in C\Documents and Settings\Carlos\Application Data\drivers\11s11ro1s1a2.sys
Trojan.Agent "File"  in C\Documents and Settings\Carlos\Application Data\drivers\winupgro.exe
Rootkit.Bagle "Registry Key" HKEY_CURRENT_USER(SOFTWARE)\Microsoft\Windows\Current Version\Run\drvsyskit
Rootkit.Bagle "Registry Key" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\111111s1ro1s1a

I think that if those registry keys are deleted most of the problem will be solved. Any suggestions how to use RegEdit?

Thanks in advance for all your assistance.

[mathboyx215]

You can delete those registry keys using malwarebytes.
First update malwarebytes and run a quick scan.Delete everything malwarebytes find and reboot.

[scythe944]

Any suggestions how to use RegEdit?

Click Start > Run.

Type, regedit then click ok

Browse to the area that you want to edit and have fun, but be extremely careful.  I'd make a backup before making any changes.

How to back up and restore the registry in Windows http://support.microsoft.com/kb/322756

[micky77]

You definately have the Beagle virus.Have a look at this tool. I would either print off the instructions,or use another pc to read them. I have no experience with this tool, but its well worth looking at. I would read the instructions fully and several times
Oddly the download link does not work,but there is another link by the same person, which does

Instructions http://forums.majorgeeks.com/showthread.php?t=185312

Download http://forums.majorgeeks.com/showpost.php?p=1353888&postcount=5

[cinchez]

Beagle?

Windows malicious removal tool can remove that, i think...

U should try that at the very least^^

-AnimeLover^^

[cdestefani]

micky77,

Thanks a lot! I downloaded, installed and run the FindyKill, found several nasty files, etc.

I attach the logs before and after the FindyKill cleaning and also HijackThis works now, so I attach a log too for further analysis and comments.

Thanks

[YoKenny]

I would uninstall the vulnerable Acrobat 7.0. 

If you only want to view pdf files then Foxit Reader is good but be sure to un-select the toolbar install as it is based on Ask.com:
http://www.filehippo.com/download_foxit

You should install User Profile Hive Cleanup Service to help with slow log off and unreconciled profile problems:
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Run Secunia Online Software Inspector to see what other applications are vulnerable to infection:
http://secunia.com/vulnerability_scanning/online

[CharleyO]

***

In addition to what has been posted above, an analysis of your HJT log shows the following problems :


It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own firewall.


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
Related to Adobe Acrobat. Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=18DF081C-E8AD-4283-A596-FA578C2EBDC3&search=SAS-Search   (5th entry on list)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

The above Bold entries should be fixed using HJT.


Overview of running tasks :

smss.exe   
System task   
Session Manager Subsystem

winlogon.exe   
System task   
Microsoft Windows Logon Process

services.exe   
System task   
Windows Service Controller

lsass.exe   
System task   
Local Security Authority Service

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

spoolsv.exe   
System task   
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe   
Backgroundtask   
Apple Mobile Device Service

mDNSResponder.exe   
Backgroundtask   
Bonjour for Windows Component

DkService.exe   
Backgroundtask   
Executive Software

jqs.exe   
Backgroundtask   
jqs.exe

svchost.exe   
System task   
Microsoft Service Host Process

fxssvc.exe   
Application   
Microsoft Fax

Explorer.EXE   
System task   
Microsoft Windows Explorer

wscntfy.exe   
System task   
Microsoft Windows Security Center

svchost.exe   
System task   
Microsoft Service Host Process

igfxtray.exe   
Application   
Intel Graphics configuration and diagnostic application

hkcmd.exe   
Application   
Intel multimedia devices

igfxpers.exe   
Driver   
Intel Common User Interface Module

essspk.exe   
Application   
ESS V92 modems

GrooveMonitor.exe   
Backgroundtask   
GrooveMonitor Utility

HPWuSchd2.exe   
Backgroundtask   
Hewlett Packard Software Update Scheduler

Acrotray.exe   
Backgroundtask   
Acrobat Traybar Assistant

RTHDCPL.EXE   
Driver   
Realtek HD Audio Sound Effect Manager

igfxsrvc.exe   
Driver   
Intel(R) Common User Interface

jusched.exe   
Backgroundtask   
Sun Java Update Scheduler

iTunesHelper.exe   
Application   
Apple Itunes

ctfmon.exe   
System task   
Alternative User Input Services

TeaTimer.exe   
Application   
Spybot S&D Realtime Scanner

MMonitor.exe   
Backgroundtask   
TMMonitor

Acrobat_sl.exe   
Unknown task   
Unknown task

hpqtra08.exe   
Backgroundtask   
Hewlett Packard Imaging

WZQKPICK.EXE   
Backgroundtask   
WinZip System Tray Application

FileOpenAPI.exe   
Unknown task   
Unknown task

iPodService.exe   
Backgroundtask   
Apple iTunes

wuauclt.exe   
System task   
AutoUpdate Client

HijackThis.exe   
Application   
Merijn Hijackthis


***

[.: L' arc :.]

So, here are my findings in your HJT log:

(1) Antivirus
       It seems like you dont have any antivirus installed or it could have possibly been disabled by the virus please enable/install one as early as possible.
       avast! Home download page

(2) Firewall
       It seems like you are either using XP's firewall or no firewall at all. XP's firewall does not support outbound protection so, you may enhance your protection by installing one with Outbound Protection. Examples are PCTools | Online Armor | Agnitum Outpost

(3) Unncessary and deactiveted keys that can be fixed

- O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

- O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)

- O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

- O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

EDIT: CharleyO is really fast. :grin:

[micky77]

The findykill log looks impressive. I would consider running Combo-fix, it may work properly,now you have removed some nasties.
I don't normally suggest it, because I am not experienced with it. However Bagle/beagle is such a baddy, I find it hard to believe your anywhere near clean. Remember to remove your old version first.Read the instructions carefully, especially about the recovery console, and disabling  all real time protection, including tea timer, and firewall
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#intro
A scan with MBAM would be a very good idea too

[cdestefani]

This answer is in general, based on last posts by YoKenny, CharleyO, L'arc and Micky77,

The virus killed Avast and others I think. That is why I did not have any antivirus in my log.

Today I uninstalled Avast, then run ComboFix. Log is attached.

Installed Comodo Firewall and Antivrus. Updated Antivirus Databases, not run the antivirus yet.

Clean 02 entries, 09 were missing.


Disable Firewall and TeaTimer,

Run HijackThis, log is attached.

Enable Teatimer.

Updated AMB, and run it. Log is attached.

In my opinion, these are much better results. However, I would like to run DrWeb in Safe mode, just to make sure but my Safe Mode still does not work. How do I restore it? I have an ASUS P5GC MX/1333.

I also would like to have Avast back in my system, will it interfere with Comodo Antivirus?

Acrobat 7 I use it to generate my pdf files, I think this a pain I will live with. Is there any other option? ex. making pdf online?

The User Profile Hive Cleanup Service to help with slow log off and unreconciled profile problems suggested looks good to me but I would to finish with the cleaning process first. Secunia will run it when I open this message on my PC.