Hi, I would have preferred to start this with a hijack this log but unfortunately I have developed a really stubborn virus / viruses and they close all the anti virus ware etc programs I have.

So far I have tried

Spybot, result was Spybot exe was removed, and I am unable to run it
hijack this, result system scan hangs and quits after it gets to a certain registry
Adaware, program doesn't run
Safe Mode, safe mode never reached, system reboots before It opens
Task Manager, unresponsive to control,alt,delete
Malwarebytes, result similar to hijack this

The strange entries I have found on the pc led me to believe it might be something called reader_s.exe, and its companion programs. Thinking it was this I tried to destroy the virus myself with a virut anti virus program, this seemed to do squat.

Now I'm just left twiddling my thumbs not really sure where else i can go other than saving my files and saying adieu to my computer. I have probably made a hamfisted attempt at getting rid of this virus myself which has likely made it much worse, however, I am not keen on passing off problems to others before I have had a fair crack at it myself.

Any help or advice is hugely appreciated, I appreciate my thread is a bit of a ramble but I can give clarity to any questions asked, just a bit lost and don't know where to start with it.

Cheers
Alex

Hello Alex

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.



Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)

Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

Hi Ken, sorry about the delay in replying, since posting I went back and backed up most of my irreplaceable info/photos etc, took a little bit of time.

I have downloaded rootrepeal wihtout much problem, though on the install/first run spybot resident flagged it as a keylogger and tried to close it.

Spybot resident is running on my computer although I seem to have no access to it, I get flags come up for a couple of processes, reader_s.exe is one of them, restorer is another, and a third I forgot to remeber the name of. They turn up consistantly as soon as I go online. My normal knee jerk response is to use spybot suggetsion of killing the process automatically. I thought this was worth mentionning since it may be something which is not present on the logs. Also I constantly get three porn icon shortcuts on the desktop as soon as I go on online nudetube/pornotube/youporn.

Right onto the rootrepeal. I did as you instructed but recieved no prompt for a drive selection, just the tick boxes you told me. I have reports for each element of the report, but I assume you just want the one from the report tab it is as follows.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/11/06 14:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0A55000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF5572000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF68E6000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x84034310

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf75c987e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf75c9bfe

==EOF==


Cheers
Alex

Oh and one more thing Ken, the scan took next to no time to complete, not far from instant. Thought this might be important to know

Cheers
Alex

Hello Alex

Your infected with the max++ Rootkit, this Rootkit prevents all security programs and scanners from running. Its going to take a bit of work to remove it but it can be removed.


Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Hi ken, currently writing this from my I phone, latest development is I can now no longer run normal windows, I can get into the recovery console bios etc but windows tries to boot, fails and restarts my system, in an endless loop any suggestions?

Sorry your having such problems.

Try this


To Access Last Known Good

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

Hi ken am running nt and the system restores run a bit differently to what you describe all options that involve windows starting result in the computer doing an automatic restart just before windows loads. The only options I can see are using the recovery console which I don't have the computer language to mess with or a restore to settings on day of purchase which I haven't tried yet. I have no access to any form of safe mode, or windows only mode, any tips?

Alex,

Virut is uncleanable, along with the max++ rootkit there really is no other option except to do a complete format and reinstall of windows. This computer is damaged malwarewise beyond repair. The sad part also is that everything is infected on this system including all your programs , files and much more. A system repair wont work, it will just copy over all the infected items. This computer has to be formatted, I mean down to the bare metal and a clean install of windows.

You can read about it here
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


If you need help reinstalling windows please let me know and I can link you to a windows forum that can help you. Your going to need your windows CD or the Recovery CD that came with your computer.

Sorry I don't have better news

Ken

Bollocks, had a hunch you were going to say that ken, well I will do a complete clean can you tell me whether word documents, photos, vids etc will be corrupted, the info I backed up? Will I be able to put them on another computer or will it just spread the evil?

Sort of baffled by this level of malice? Who and why was this created

Alex,

Greed is the main reason for this. Years ago , kids and people that had nothing else to do wrote viruses, they made your screen wobble or some other stupid thing, but not anymore, this garbage is written by cyber criminals, and there only point in writing it is to steal anything they can from you in the form of password and account numbers for banking , credit card numbers and access to your shopping sites, believe it or not its big business. The only problem is that the scum that write this are off shore and hard to track and find, and when they are found they just move to another server somewhere.

When Virut first came out, all it infected was all your .exe and .scr files but from what I have read the newer versions infect even more. So don't know what to tell you as far as backups. I believe your pictures may be ok along with .txt documents.


Ken