Nasty virus attack – Impossible to clean my PC, Assistance Please

About 3 days my PC got infected with several viruses. This is what I have done so far:

First thing was to disconnect it from the internet.

Then I tried to start the PC in safe mode and it didn’t boot. I forced the Safe Mode with the msconfig selecting in Boot.ini “SafeMode/Minimal” and it took me to a nonstop starting loop. It took me over a day to fix the boot.ini file and make it start again. The PC has an ASUS P5GC MX/1333 and I can’t make it boot in safe mode.

With Windows XP SP3 in standard mode Avast and SpyBot were disabled,every time I want to run them a message says “they are not Win 32 applications”. Malwarebites is the only antivirus that works and every time it runs find 2 or 3 registry keys and 4 or 5 infected files. I delete them all, but to delete some of them the PC must be reboot and in the process all of them are either not deleted or regenerated.

So I tried Avira Rescue CD with several files renamed, some of them in System Volume Information folder that I could not get access to delete them, the other were deleted but I could also see were regenerated.

Today I downloaded the DrWeb Rescue CD and attempted to clean it in the starting process but it stopped in the System Volume Information folder. I run it a few times I managed to stop it whenever I saw a virus (Trojan.StartPage) and restarted the scan hoping that will continue in the critical stop point without these files. But there were no differences.

I can’t install HijackThis, it is blocked by the viruses.

So, from my understanding what I could do are two options:

Try to find another Rescue CDs and run them and eventually the PC may become clean or ask for some assistance in this forum.

Can anyone offer me some assistance with this nasty problem? I am lost, not knowing what is the best solution. I can’t reformat the HD, I have a lot of data that I can’t copy (too many GBs) and I can’t afford to loss it.

Thanking you in advance,

Carlos


Hi Carlos -

Have you tried renaming HJT to something else?

Maybe CarlosThis? Will it install then?


Run some more rescue disks like Kaspersky Rescue CD and Norton Rescue Disk. Then after deleting some viruses, unplug your modem or halt any of your internet connectivity.

Try to find a clean PC and put on your Flash disk. From there download all updates of your antivirus and antimalwares.
(1) Avast updates
(2) SUPERantiSpyware

Then, copy all the updates to your Flash Disk and head over to your PC. Boot into Safe Mode and use the updates. Schedule an avast boot time scan.

NOTE: IF avast wont open, head over to C:\Program Files\Alwil Software\Avast4\ashAvast.exe and rename ashAvast.exe into undefined.exe.

After the boot time scan, scan with MBAM and SuperAntiSpyware.

Post a Hijack This log here afterwards.

You should not use msconfig to start in safe mode on an infected pc.But I guess you know that now. Can you post as many of the infected files names and locations, especially from MBAM and the rescue disc.No need to post any that were found in system restore ( system volume info )

CharlyO

I tried to rename HijackThis, but when I double click to install it, the “HijackThis” comes up and does it.

I even tried to rename the “ashAvast.exe” for a boot scan, and Windows Explorer stopped working.

L’arc,

Rescue CDs, I donwloaded Kaspersky, but I can’t update the virus database, it fails, any help? I downloded all the database available complete (~67MB), weekly (~2MB) and daily (400KB) and put it in a USB, but fails to update.Wrong data?

Norton Rescue CD is not for WinXP.

I downloaded F-Secure Rescue CD, but at the start the screen goes black and I stopped there after a couple of minutes.

I have two Rescue CDs left to try BitDefender and Avira, any comments?

I found that in those FTP sites there are iso and iso.md5 files, what are those? Which one do I need to download and burn?

Mickt77,

I run Mawarebytes’ with database 2660 (8/19/2009) and found in a quick scan:

Worm.Bagle “Folder” in C\Documents and Settings\Carlos\Application Data\drivers\downld
Rootkit.Bagle “File” in C\Documents and Settings\Carlos\Application Data\drivers\111wfs1intwq.sys
Rootkit.Bagle.KillAV “File” in C\Documents and Settings\Carlos\Application Data\drivers\11s11ro1s1a2.sys
Trojan.Agent “File” in C\Documents and Settings\Carlos\Application Data\drivers\winupgro.exe
Rootkit.Bagle “Registry Key” HKEY_CURRENT_USER(SOFTWARE)\Microsoft\Windows\Current Version\Run\drvsyskit
Rootkit.Bagle “Registry Key” HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\111111s1ro1s1a

I think that if those registry keys are deleted most of the problem will be solved. Any suggestions how to use RegEdit?

Thanks in advance for all your assistance.

You can delete those registry keys using malwarebytes.
First update malwarebytes and run a quick scan.Delete everything malwarebytes find and reboot.

Any suggestions how to use RegEdit?

Click Start > Run.

Type, regedit then click ok

Browse to the area that you want to edit and have fun, but be extremely careful. I’d make a backup before making any changes.

How to back up and restore the registry in Windows http://support.microsoft.com/kb/322756

You definately have the Beagle virus.Have a look at this tool. I would either print off the instructions,or use another pc to read them. I have no experience with this tool, but its well worth looking at. I would read the instructions fully and several times
Oddly the download link does not work,but there is another link by the same person, which does

Instructions http://forums.majorgeeks.com/showthread.php?t=185312

Download http://forums.majorgeeks.com/showpost.php?p=1353888&postcount=5

Beagle?

Windows malicious removal tool can remove that, i think…

U should try that at the very least^^

-AnimeLover^^

micky77,

Thanks a lot! I downloaded, installed and run the FindyKill, found several nasty files, etc.

I attach the logs before and after the FindyKill cleaning and also HijackThis works now, so I attach a log too for further analysis and comments.

Thanks

I would uninstall the vulnerable Acrobat 7.0.

If you only want to view pdf files then Foxit Reader is good but be sure to un-select the toolbar install as it is based on Ask.com:
http://www.filehippo.com/download_foxit

You should install User Profile Hive Cleanup Service to help with slow log off and unreconciled profile problems:
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Run Secunia Online Software Inspector to see what other applications are vulnerable to infection:
http://secunia.com/vulnerability_scanning/online


In addition to what has been posted above, an analysis of your HJT log shows the following problems :

It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own firewall.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
Related to Adobe Acrobat. Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=18DF081C-E8AD-4283-A596-FA578C2EBDC3&search=SAS-Search (5th entry on list)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

The above Bold entries should be fixed using HJT.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

spoolsv.exe
System task
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service

mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component

DkService.exe
Backgroundtask
Executive Software

jqs.exe
Backgroundtask
jqs.exe

svchost.exe
System task
Microsoft Service Host Process

fxssvc.exe
Application
Microsoft Fax

Explorer.EXE
System task
Microsoft Windows Explorer

wscntfy.exe
System task
Microsoft Windows Security Center

svchost.exe
System task
Microsoft Service Host Process

igfxtray.exe
Application
Intel Graphics configuration and diagnostic application

hkcmd.exe
Application
Intel multimedia devices

igfxpers.exe
Driver
Intel Common User Interface Module

essspk.exe
Application
ESS V92 modems

GrooveMonitor.exe
Backgroundtask
GrooveMonitor Utility

HPWuSchd2.exe
Backgroundtask
Hewlett Packard Software Update Scheduler

Acrotray.exe
Backgroundtask
Acrobat Traybar Assistant

RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager

igfxsrvc.exe
Driver
Intel(R) Common User Interface

jusched.exe
Backgroundtask
Sun Java Update Scheduler

iTunesHelper.exe
Application
Apple Itunes

ctfmon.exe
System task
Alternative User Input Services

TeaTimer.exe
Application
Spybot S&D Realtime Scanner

MMonitor.exe
Backgroundtask
TMMonitor

Acrobat_sl.exe
Unknown task
Unknown task

hpqtra08.exe
Backgroundtask
Hewlett Packard Imaging

WZQKPICK.EXE
Backgroundtask
WinZip System Tray Application

FileOpenAPI.exe
Unknown task
Unknown task

iPodService.exe
Backgroundtask
Apple iTunes

wuauclt.exe
System task
AutoUpdate Client

HijackThis.exe
Application
Merijn Hijackthis


[font=segoe ui] So, here are my findings in your HJT log:

b Antivirus[/b]
It seems like you dont have any antivirus installed or it could have possibly been disabled by the virus please enable/install one as early as possible.
avast! Home download page

b Firewall [/b]
It seems like you are either using XP’s firewall or no firewall at all. XP’s firewall does not support outbound protection so, you may enhance your protection by installing one with Outbound Protection. Examples are PCTools | Online Armor | Agnitum Outpost

b Unncessary and deactiveted keys that can be fixed[/b]

  • O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

  • O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)

  • O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

  • O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

EDIT: CharleyO is really fast. :grin:

The findykill log looks impressive. I would consider running Combo-fix, it may work properly,now you have removed some nasties.
I don’t normally suggest it, because I am not experienced with it. However Bagle/beagle is such a baddy, I find it hard to believe your anywhere near clean. Remember to remove your old version first.Read the instructions carefully, especially about the recovery console, and disabling all real time protection, including tea timer, and firewall
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#intro
A scan with MBAM would be a very good idea too

This answer is in general, based on last posts by YoKenny, CharleyO, L’arc and Micky77,

The virus killed Avast and others I think. That is why I did not have any antivirus in my log.

Today I uninstalled Avast, then run ComboFix. Log is attached.

Installed Comodo Firewall and Antivrus. Updated Antivirus Databases, not run the antivirus yet.

Clean 02 entries, 09 were missing.

Disable Firewall and TeaTimer,

Run HijackThis, log is attached.

Enable Teatimer.

Updated AMB, and run it. Log is attached.

In my opinion, these are much better results. However, I would like to run DrWeb in Safe mode, just to make sure but my Safe Mode still does not work. How do I restore it? I have an ASUS P5GC MX/1333.

I also would like to have Avast back in my system, will it interfere with Comodo Antivirus?

Acrobat 7 I use it to generate my pdf files, I think this a pain I will live with. Is there any other option? ex. making pdf online?

The User Profile Hive Cleanup Service to help with slow log off and unreconciled profile problems suggested looks good to me but I would to finish with the cleaning process first. Secunia will run it when I open this message on my PC.

Read about Comodo as it will interfere with avast!
http://forum.avast.com/index.php?topic=46737.0

DrWeb is another anti virus application and you can not run 2 concurrent anti virus applications together as they interfere with on another.

If you must use a software firewall then either Outpost or PC Tools are recommended.

I like Malwarebytes Anti-Malware (MBAM) and I use the resident protect version as it adds an additional layer of protection and it is only $28.34CDN one time charge.

YoKenny,

Thanks for your answer. Very good comments and link. I think PCTools will be the choice since it is installed in another PC.

Have a look at these 2 links http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

http://blog.didierstevens.com/2006/06/26/restoring-safeboot/

Be careful though, and read carefully. Also you have xp3, the registry file may not work, maybe you could export from another xp3 pc,if you not what your doing.
Also to make sure you restore before the infection, so not to restore the virus

I had visited the link for the “Safe Mode” problem and it is excellent! The zip file also has a file for WinXP SP3. After 3 attempts the file merged and I recovered the Safe Mode. This was yesterday, I run Avast but in safe mode at that time the report says the PC is clean.

Previously this is what I have done:

  • I uninstalled the Comodo Firewall and Antivirus
  • Installed Avast
  • Installed PC Tools Firewall
    Once this was finished I set a Boot Scan with Avast and found 18 files in the Volume System Information folder, most of them with the Beagle virus and some with Trojans. The report is attached.

Then:

  • Installed the Foxit reader and set it as default reader.
    I left Adobe Acrobat 7 installed I need it to generate my pdf files. I hope that with the Firewall I will be able to block its access to the net whenever it tries.

Now, I have pending to visit the Hive Cleanup Service from Microsoft.

What I noticed is that it takes longer to boot and switch off the PC after this virus attack. Is there any way to recover this? Is it of any use or does it help the CCleaner facility?

Use CCLeaner to disable some unnecessary startup items like AdobeSpeedLauncher.