'cmd.exe' virus infected my PC with AVAST on!

Viruses and worms
1

(To Essexboy if possible, please:)

Found net-resources window empty! Could not more go in internet at all with my PC (using by now a netbook). Ran AVAST inmediately AFTER and found ‘cmd.exe’ virus in a System32 file.
Chose to cancel the virus, but have yet the problem with the net-resources empty window. Tried to create new connection, but it seems there is no guide more nor way to do it. Also keyboard was blocked.
Could finally unblock the keyboard.
Wonder what else could have gone wrong… :-
My question is what to do about all these…? :frowning:
Should i run another program to see if my PC is still infected?
Should i erase all and try to re-install windows OS.?
How can I have again lost data? (Have tried to get back some days before with ‘restore system’, without any change).

Please HELP! :cry:

Note: PC is Pentium 4, 80 GB ROM, 1,5 GB RAM. OS. Win XP, SP2

2

Essexboy like to have some info so if you can, follow this guide and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

3

What malware/virus name did avast alerted on the file?

4

Have my PC in quarantine(off)since the date below.
Have copied the results of the AVAST scan on a piece of paper as follows:

‘c:\windows\Temp. S1elQG7i.Sys’

‘severità: elevata’
‘stato:: Minaccia. Win32.Malaware-gen’
‘azione: sposta nel cestino’

‘risultato: operazione effettuata con successo’

‘Log della scansione veloce:’
data: 03/10/2010 14:51:34’
‘risultato: virus rilevato’
‘/no execute=option/fast detect’
‘variabile:
Temp-> Com Spec’
‘valore: c:\WINDOWS\System32\cmd.exe’

My problem now is to load those cleaning programs without having internet running in my PC…
When I use a key, I am afraid to infect this netbook am using… :-\

5

Hi on the uninfected system download and run the following programme
http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

6

Hi Essexboy :slight_smile:

Have already loaded the cleanning programs to my netbook desktop and put it in a file.

Will load the Panda prog. AFTER, no problem, I think, or?

Thanks.

7

Run Panda preferably prior to putting the stick in the infected system

8

I meant in my netbook desktop. Already vaccinated my netbook and after that, vaccinated the key. Then copied the file to the key.

Copied OTL.exe file from vaccinated-key to PC desktop.
Opened it but didn’t find where to choose the first three lines you gave (Reg-NetSvcs, Reg-Shell Spawning, Evnt-Event Viewer Logs (last 10 Errors) )

Selected only ‘All Users’ and The 2 last lines: File-Lop Check and File Purity Check.

Should I run it so?
(All the rest are selected to ‘Use SafeList’ and ‘File Age’ and the output is set to ‘Standard’).

Have just written the 3 missing lines in the “Custom Scan/Fixes” window…
Is it OK?

9

The lines are selected under additional scans

10

Have a different window.
The version is also another (3.2.15.0)
That little window on the bottom, right, is missing in the version I have. :frowning:

11

Oops I will update and check ;D

12

Ah OK you have OTL not OTS - they are different scanners

In that case run OTL - selecting all users and then click run scan

13

Running…

OK. Log files attached.

Noticed there’s always a window which appears twice after i close a program. It still appears after running OTL.
It shows:
“Errore nello Script di Internet Explorer” (I don’t use Win explorer and I have erased the browser since i receive this note, but it appears the same)
(continues…)
"Errore nello Script della pagina
Linea: 71
Carattere: 2
Errore: ‘topcontentFrame main location’ è nullo o non è un oggetto.
Codice: 0
URL: file://C:\Programmi\Alice ti aiuta\vendors\Alice RE\content\template\driven_dev\syncer\content\MotivePClient html
Continuare a eseguire gli script della pagina? yes or No "

14

Hi we have a little nasty hiding - or it may just be a remnant, but it has to go

Win explorer has nothing to do with Internet explorer

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
O3 - HKU\S-1-5-21-1957994488-1645522239-839522115-1004\..\Toolbar\ShellBrowser: (&Indirizzo) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1957994488-1645522239-839522115-1004\..\Toolbar\WebBrowser: (&Indirizzo) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1957994488-1645522239-839522115-1004\..\Toolbar\WebBrowser: (Co&llegamenti) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2140:TCP"=-


:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

15

Will do as you say.
Only a doubt… I have no internet in my PC: the virus has let me with an empty net-resources window. So how can i load that recovery program?

16

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

Download ComboFix from one of these locations:

Link 1
Link 2

Note: It is important that it is saved directly to your desktop

With malware infections being as they are today, it’s strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft’s website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that’s appropriate for your Operating System. Download the file & save it as it’s originally named.

Note: If you have SP3, use the SP2 package.

Transfer all files you just downloaded, to the desktop of the infected computer.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

[*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

http://img.photobucket.com/albums/v706/ried7/whatnext.png

[*]At the next prompt, click ‘Yes’ to run the full ComboFix scan.

[*]When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

17

Running OTL since more than half an hour. OTL window is fixed. The bar under the window shows as if the work was completed, but is fixed there. No way to reboot the PC the usual way. Should I turn off the PC with the emergency button (the button to turn it on)? :-\

OTL window is still blocked…

18

Yes use either control-alt-delete and close via taskmanager or go for a hard reset

19

Had to use the hard way…

Turned PC on and found a text window (.log extension).
Am attaching it here.

Should I continue with ComboFix?

20

Yes please continue with Combofix