WIN32: Vitro Virus

[Azure the Homeless]

  I've been reading for the past four hours about this virus, but I didn't post there since the topic was already two years old.  Anyway, to make a long story short, my dad's computer is working fine with the free version of Avast! Antivirus.  I am still unsure on how it was first infected, since I haven't been to any bad sites recently.  The only site that I was on was a HP Download site, downloading a printer driver. Anyway, this is definitely not an FP, as it has already infected just about every .exe and .html file that I could think of.  

  I did manage to boot up Windows XP again after the first infections were found by the AV. I did a total scan of the Hard Drive, found about 1000+ infected files(all .exe and .html), and thought it was gone; alas, I was wrong. After a second reboot I was still finding infected files, and the PC was beginning to look a bit hopeless, after checking in the Program Files folder to find that most of the Programs were gone.  Then I started here and read up on the subject.  I plan to FFR now, but in case there is any new development, I'd be happy to know.  Are there any other suggestions out there?

OS: Windows XP SP3

[PowerSource4Avast!]

Well.

Have you tried MalwareBytes Anti-Malware And/Or DrWEB Cureit!
If you have not already fixed it. That should help. If you already tried that. Reply back.

And have you tried booting it in safe mode with networking?

If you do. You might be able to download the programs.

If mbam scanned fully. Post your mbam log!

MBAM Is - MalwareBytes Anti-Malware

[Azure the Homeless]

Well.

Have you tried MalwareBytes Anti-Malware And/Or DrWEB Cureit!
If you have not already fixed it. That should help. If you already tried that. Reply back.

And have you tried booting it in safe mode with networking?

If you do. You might be able to download the programs.

If mbam scanned fully. Post your mbam log!

MBAM Is - MalwareBytes Anti-Malware

  I've contemplated on trying Dr.Web CureIt! a little while ago.  MBAM? I'll get on these both now..  Thanks a lot..  I'll keep you posted(I'm on my second PC).. Be right back..
Uhm, BTW, how to get these downloaded programs onto the infected PC without comprising the one that I'm already using??

[Gargamel360]

Really, you should read and follow this guide>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454, as this is a very nasty infection I would only feel right referring you to the resident expert. 

But....Vitro is a possible reformat situation also, just to forewarn you.

[Azure the Homeless]

Yes, I'm aware of that.  Fortunately most of the documents and important files were on two external drives that I unplugged as soon as I knew what was going on.  I just want to see if it is still salvageable without nuclear fallout after the war is over.. I hate reconstructions..   Shall read the link you gave me now..

[Azure the Homeless]

@PowerSource4Avast!

  Downloading Dr. Web CureIt! now.  Malwarebytes' Anti-Malware is downloading as well.  Will post back when they are done.  - Azure the Homeless

[Gargamel360]

Ok, if you follow the guide, just post the resulting logs as attachments back here.

Luck be with you  

[Azure the Homeless]

  Hah, I sure can believe the image you attached..  Will post back results ASAP..

[PowerSource4Avast!]

Good I hope the computer will be in great shape. I will not be watching on the post. I will be in bed. So Bye!!!!

[Azure the Homeless]

@PowerSource4Avast!

Alrighty..  Sorry for bothering, but with a 13-hour difference in time between the US and here I do sometimes forget about sleeping hours..  Thanks a lot.

[Azure the Homeless]

@Gargamel360

OK, I've got the MBAM log file here.  The other one is still yet to come.

---LOG FILE---

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/13/2011 12:41:19 PM
mbam-log-2011-05-13 (12-41-19).txt

Scan type: Quick scan
Objects scanned: 135233
Time elapsed: 19 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{376892AE-1825-4E5F-9F85-23F9640051CC} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1FD79A59-37B1-459B-9097-09F9FAB8A523} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{B97F9125-71A1-48D0-B920-F140EF8DE809} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\DNSCache.DNSCacheObj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\DNSCache.DNSCacheObj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892AE-1825-4E5F-9F85-23F9640051CC} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
d:\WINDOWS\system32\calc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

--------

Hope it helps yah.

[Gargamel360]

Ok, but post them as attachments, please.  (see "additional options" when you are making a new post)

[Azure the Homeless]

Gotcha...

[Gargamel360]

Ok, pm'd the guy who wrote the guide, he will be here at his earliest opportunity to have a look at them and advise what to do from here.

[Azure the Homeless]

  Ok, thanks a lot.. It must be late over there.  God bless!