bhavanis

Original post

http://www.techsupportforum.com/secu...installed.html

Hello,

My comp is behaving strangely. When I tried to run Malwarebytes, it gave me 2 problems : a 732(0,0) error when checking updates, and when it started to scan, it automatically closed after 2 seconds. I also saw a.exe, b.exe, etc in my system that I had deleted prior to finding this nice forum. When I tried to diagnose the 732(0,0) and auto-close problems by searching in google, I fould some links but whenever I clicked on them, the website would either not open or would take me to potential "anti-spyware" or "anti-virus" software.
When I log on to my system, it gives me weird errors as well: cannot find logon.exe, and some errors that say a registry cannot be written into.

I followed the forum instructions and tried to run DDS but it did not create any logs. I did manage to create ARK.txt, which I am attaching with this thread. Appreciate the help!

Attached Files

attach.zip (1.3 KB, 4 views)

bhavanis

BUMP Please

amateur

Hello bhavanis,

Please save this file to your desktop. Click Start->Run, and copy-paste the following bolded text into the Run box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents in your next reply.

bhavanis

Hello! Thanks for looking into this; really appreciate it. Here's the output from Win32kDiag.txt:

Running from: C:\Documents and Settings\D111214\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\D111214\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINNT'...



Found mount point : C:\WINNT\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\addins\addins

Found mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\CustomMarshalers\CustomMarshalers

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\CustomMarshalers\CustomMarshalers

Found mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\mscorlib\mscorlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\mscorlib\mscorlib

Found mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System\System

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System\System

Found mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System.Drawing\System.Drawing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System.Drawing\System.Drawing

Found mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\System.Windows.Forms

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\System.Windows.Forms

Found mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System.Xml\System.Xml

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\NativeImages1_v1.1.4322\System.Xml\System.Xml

Found mount point : C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINNT\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\temp\temp

Found mount point : C:\WINNT\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\assembly\tmp\tmp

Found mount point : C:\WINNT\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Config\Config

Found mount point : C:\WINNT\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Connection Wizard\Connection Wizard

Found mount point : C:\WINNT\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\CSC\d1\d1

Found mount point : C:\WINNT\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\CSC\d7\d7

Found mount point : C:\WINNT\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\ime\chsime\applets\applets

Found mount point : C:\WINNT\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\ime\CHTIME\Applets\Applets

Found mount point : C:\WINNT\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\ime\imejp98\imejp98

Found mount point : C:\WINNT\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\ime\imjp8_1\applets\applets

Found mount point : C:\WINNT\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\ime\imkr6_1\applets\applets

Found mount point : C:\WINNT\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINNT\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\ime\shared\res\res

Found mount point : C:\WINNT\Installer\MWI\Visio\2003\Other\Other

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Installer\MWI\Visio\2003\Other\Other

Found mount point : C:\WINNT\Installer\MWI\Visio\2003\Patches\Patches

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Installer\MWI\Visio\2003\Patches\Patches

Found mount point : C:\WINNT\Installer\MWI\Visio\2003\Shortcuts\Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Installer\MWI\Visio\2003\Shortcuts\Shortcuts

Found mount point : C:\WINNT\Installer\MWI\Visio\2003\Vendor\Vendor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Installer\MWI\Visio\2003\Vendor\Vendor

Found mount point : C:\WINNT\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\java\trustlib\trustlib

Found mount point : C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINNT\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\msapps\msinfo\msinfo

Found mount point : C:\WINNT\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINNT\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINNT\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINNT\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINNT\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINNT\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINNT\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINNT\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINNT\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINNT\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINNT\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINNT\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\pchealth\helpctr\Temp\Temp

Cannot access: C:\WINNT\Prefetch\ASPNET_REGIIS.EXE-22B3927D.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\ASPNET_REGIIS.EXE-22B3927D.pf

Cannot access: C:\WINNT\Prefetch\CACLS.EXE-04CC0710.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\CACLS.EXE-04CC0710.pf

Cannot access: C:\WINNT\Prefetch\CMD.EXE-128F538E.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\CMD.EXE-128F538E.pf

Cannot access: C:\WINNT\Prefetch\CSCRIPT.EXE-0CD22902.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\CSCRIPT.EXE-0CD22902.pf

Cannot access: C:\WINNT\Prefetch\EXPLORER.EXE-28CE6F94.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\EXPLORER.EXE-28CE6F94.pf

Cannot access: C:\WINNT\Prefetch\GACUTIL.EXE-2FBC3DE1.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\GACUTIL.EXE-2FBC3DE1.pf

Cannot access: C:\WINNT\Prefetch\LODCTR.EXE-1494C207.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\LODCTR.EXE-1494C207.pf

Cannot access: C:\WINNT\Prefetch\LOGON.SCR-30357DB7.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\LOGON.SCR-30357DB7.pf

Cannot access: C:\WINNT\Prefetch\MOFCOMP.EXE-373E3BF1.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\MOFCOMP.EXE-373E3BF1.pf

Cannot access: C:\WINNT\Prefetch\MSDTC.EXE-2984CDC4.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\MSDTC.EXE-2984CDC4.pf

Cannot access: C:\WINNT\Prefetch\MSIEXEC.EXE-0343B1B1.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\MSIEXEC.EXE-0343B1B1.pf

Cannot access: C:\WINNT\Prefetch\NET.EXE-19655760.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\NET.EXE-19655760.pf

Cannot access: C:\WINNT\Prefetch\NET1.EXE-1BAF7449.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\NET1.EXE-1BAF7449.pf

Cannot access: C:\WINNT\Prefetch\NETFXUPDATE.EXE-12A58897.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\NETFXUPDATE.EXE-12A58897.pf

Cannot access: C:\WINNT\Prefetch\NGEN.EXE-029EC9AB.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\NGEN.EXE-029EC9AB.pf

Cannot access: C:\WINNT\Prefetch\REGEDIT.EXE-1296D1F9.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\REGEDIT.EXE-1296D1F9.pf

Cannot access: C:\WINNT\Prefetch\REGSVR32.EXE-29C480B8.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\REGSVR32.EXE-29C480B8.pf

Cannot access: C:\WINNT\Prefetch\REGTLIB.EXE-0704A429.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\REGTLIB.EXE-0704A429.pf

Cannot access: C:\WINNT\Prefetch\SC.EXE-261A4B2F.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\SC.EXE-261A4B2F.pf

Cannot access: C:\WINNT\Prefetch\SHUTDOWN.EXE-3ACB432E.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\SHUTDOWN.EXE-3ACB432E.pf

Cannot access: C:\WINNT\Prefetch\UNREGMP2.EXE-1140870C.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\UNREGMP2.EXE-1140870C.pf

Cannot access: C:\WINNT\Prefetch\USERINIT.EXE-33355E3C.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\USERINIT.EXE-33355E3C.pf

Cannot access: C:\WINNT\Prefetch\WMIADAP.EXE-33C2425D.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\WMIADAP.EXE-33C2425D.pf

Cannot access: C:\WINNT\Prefetch\WMIPRVSE.EXE-342A501C.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\WMIPRVSE.EXE-342A501C.pf

Cannot access: C:\WINNT\Prefetch\WSCNTFY.EXE-05C3D103.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\WSCNTFY.EXE-05C3D103.pf

Cannot access: C:\WINNT\Prefetch\WSCRIPT.EXE-29ED863C.pf

Attempting to restore permissions of : C:\WINNT\Prefetch\WSCRIPT.EXE-29ED863C.pf

Found mount point : C:\WINNT\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Registration\CRMLog\CRMLog

Found mount point : C:\WINNT\setup.pss\setupupd\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\setup.pss\setupupd\temp\temp

Found mount point : C:\WINNT\SoftwareDistribution\Download\Download

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\SoftwareDistribution\Download\Download

Found mount point : C:\WINNT\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\SoftwareDistribution\EventCache\EventCache

Found mount point : C:\WINNT\SoftwareDistribution\SelfUpdate\SelfUpdate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\SoftwareDistribution\SelfUpdate\SelfUpdate

Found mount point : C:\WINNT\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Sun\Java\Deployment\Deployment

Found mount point : C:\WINNT\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINNT\system32\eventlog.dll

Attempting to restore permissions of : C:\WINNT\system32\eventlog.dll

[1] 2004-08-04 00:56:44 55808 C:\WINNT\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 00:56:44 61952 C:\WINNT\system32\eventlog.dll ()

[2] 2004-08-04 00:56:44 55808 C:\WINNT\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINNT\Temp\DdmiData\DdmiData

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Temp\DdmiData\DdmiData

Cannot access: C:\WINNT\Temp\ddmiscan.exe

Attempting to restore permissions of : C:\WINNT\Temp\ddmiscan.exe

Found mount point : C:\WINNT\Temp\TestEngDat64\TestEngDat64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Temp\TestEngDat64\TestEngDat64

Found mount point : C:\WINNT\Temp\{73DA761D-368D-4A02-87B5-86A09ED33613}\{f0a37341-d692-11d4-a984-009027ec0a9c}\{f0a37341-d692-11d4-a984-009027ec0a9c}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Temp\{73DA761D-368D-4A02-87B5-86A09ED33613}\{f0a37341-d692-11d4-a984-009027ec0a9c}\{f0a37341-d692-11d4-a984-009027ec0a9c}

Found mount point : C:\WINNT\Temp\{857606CF-2DD7-404D-8A6D-9C0F5A99F2EA}\{857606CF-2DD7-404D-8A6D-9C0F5A99F2EA}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Temp\{857606CF-2DD7-404D-8A6D-9C0F5A99F2EA}\{857606CF-2DD7-404D-8A6D-9C0F5A99F2EA}

Found mount point : C:\WINNT\Temp\{91B369D9-4B71-4F18-B930-9342E3946273}\{91B369D9-4B71-4F18-B930-9342E3946273}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Temp\{91B369D9-4B71-4F18-B930-9342E3946273}\{91B369D9-4B71-4F18-B930-9342E3946273}

Found mount point : C:\WINNT\Tivoli\lcf\dat\1\cache\out-of-date\out-of-date

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\Tivoli\lcf\dat\1\cache\out-of-date\out-of-date

Found mount point : C:\WINNT\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINNT\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINNT\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989



Finished!

amateur

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. How to disable your security applications
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done that.

bhavanis

Hello,

I used link 1 you provided to download and run ComboFix. When I double-clicked the downloaed exe, it gives me the following message in a window. I hit OK the first time when the error message came and then it gave me further warnings. I closed it without proceeding further, and redownloaded combofix, and it gave the error message again. I also do not see the txt file in C:\, since I suppose I didn't run Combofix ultimately because of this error. I am putting the error as an attachment (pasted the error message in a word doc):

---------------------------
Error
---------------------------
!! ALERT !! It is NOT SAFE to continue!



The contents of the ComboFix package has been compromised.

Please download a fresh copy from:



http://www.bleepingcomputer.com/comb...o-use-combofix



Note: You may be infected with a file patching virus 'Virut'
---------------------------
OK
---------------------------

Attached Files

Combofix-alert.doc (30.0 KB, 0 views)

bhavanis

Hello,

I went to the bleepingcomputer.com site that the 1st link points to and downloaded Combofix from there. This time it took some time but downloaded the 3.4MB file. When I doubleclicked the exe, it again gave me the same error, and when I clicked OK, it just closed, but also, Combofix.exe also got deleted (not even in the Recycle bin).

amateur

Hi,

That's not good news. Combofix will not run if it detects Virut in the system and it's quite accurate in detection, but we could run this online scan to further verify the presence of the Virut infection.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

bhavanis

Hi! Thanks for the quick response.

I tried multiple times, but am unable to access the Kaspersky site. I copied the link, shut down and rebooted, etc, but I keep getting the "Unable to access site" message. Is the virus/malware is preventing me from accessing the site? This is what Mozilla gives me:

Server not found



Firefox can't find the server at www.kaspersky.com.

* Check the address for typing errors such as
ww.example.com instead of
www.example.com

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

amateur

Hi,

Most likely. Apart from possible Virut, you have another infection that messes up the permissions, preventing you from running many applications. There may be other infections on board too, which we are unable to see without any diagnostic logs.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\system32\winlogon.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If the file is analyzed before click Reanalyse file now button.
• Wait until the file is analyzed.
• Once scanned, save (copy and paste) the results.
  
• Please repeat the process for the following files:
  
  
  • C:\WINDOWS\SYSTEM32\lsass.exe
    
  • C:\WINDOWS\explorer.exe
    
    
    Come back and post the results in your topic for review.
    

bhavanis

Hi!

Unfortunately, I am unable to open this new link as well. I can open it from another computer I have, but not from the computer where I am having all these problems. Is there some way the software can be attached to this thread so I can download and run it? This is scary! Thanks again!

amateur

At this point, better advice would be to reformat and reinstall the operating system. We should not waste any more time and save your data. Here's some information about virut:

Virut is a polymorphic file infector, infecting all the executable files(.exe) and screen saver files(.scr) by way of corrupting them beyond repair. Unfortunately, many experts in the community believe the best approach is to reformat and reinstall. While backing up your files prior to r/r, please make sure that you do not backup any executables, screen savers and compressed files such as zip, rar and cab, and also the htm/html/php files as they may also contain infected files. Latest variants also infect the .jpg, .pdf and .doc files, which makes backing up any personal documents and pictures risky.

There's no tool that can fix this infection at the moment. Some tools claim to disinfect it but they also end up corrupting the system files in the end just like the virut itself.

Do not back up to another machine or another internal harddrive, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

Virut is mostly spread via crack and keygen sites. Virut is also a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Here's some further information on this infection:

http://www.microsoft.com/security/en...=Win32%2fVirut
http://vil.nai.com/vil/content/v_143034.htm
http://www.avast.com/eng/win32-virut.html
http://www.symantec.com/security_res...558-99&tabid=1

If you need assistance in performing a clean install, here is a couple of good guides to walk you through the process:

http://www.windowsreinstall.com/winx...tallguides.htm
http://helpdesk.its.uiowa.edu/window...s/reformat.htm


You might also like to have a look at this blog by our colleague, miekiemoes:

http://miekiemoes.blogspot.com/2009/...-throwing.html