cannot install or use safe mode & blocked from security sites

Hi Baydon :)

If you could note down the files and paths that Avast detected it would be great.


Step 1
Please Uninstall Trojan Remover from your computer as it may be hampering our progress.


Step 2
SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
*ywvlwqew.exe*

:folderfind  
*qqeymqug*

:regfind 
YwvLwqew
qqeymqug
userinit
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Step 3
Please Rerun AswMBR again like I asked you in post number 5.

Step 4
I see you have Malwarebytes installed, Please open the program, check for any updates and run a Quick scan.

In your next reply please include:
The Systemlook logfile.
The aswMBR logfile.
The Malwarebytes log.
The files and paths that Avast found.

Regards maxi :)
 
SystemLook 30.07.11 by jpshortstuff
Log created at 10:04 on 27/06/2012 by karl
Administrator - Elevation successful

========== filefind ==========

Searching for "*ywvlwqew.exe*"
E:\Documents and Settings\All Users\Application Data\Bitdefender\Avc\Feedback\01CD444C4D54CCBE_2878_002124_ywvlwqew.exe.det --a---- 6670 bytes [01:25 07/06/2012] [01:25 07/06/2012] A28E87B7B83CCFDA6848BE4E7CF74B65
E:\Documents and Settings\karl\Local Settings\Application Data\qqeymqug\ywvlwqew.exe.vir --a---- 84888 bytes [22:36 08/06/2012] [22:56 17/05/2012] D222E319790B3576BA11B2DD5CBCAF84

========== folderfind ==========

Searching for "*qqeymqug*"
E:\Documents and Settings\karl\Local Settings\Application Data\qqeymqug d------ [22:56 17/05/2012]

========== regfind ==========

Searching for "YwvLwqew"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="e:\windows\system32\userinit.exe,,E:\Documents and Settings\karl\Local Settings\Application Data\qqeymqug\ywvlwqew.exe"

Searching for "qqeymqug"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="e:\windows\system32\userinit.exe,,E:\Documents and Settings\karl\Local Settings\Application Data\qqeymqug\ywvlwqew.exe"

Searching for "userinit"
[HKEY_CURRENT_USER\Software\Microsoft\Office\Common\UserInfo]
"UserInitials"="k"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="e:\windows\system32\userinit.exe,,E:\Documents and Settings\karl\Local Settings\Application Data\qqeymqug\ywvlwqew.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\userinit.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application]
"Sources"="WSH WMIAdapter WMI.NET Provider Extension WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSTO 4.0 VSSetup VSS VBRuntime Userinit Userenv UploadM Turbine Network Service Turbine Message Service System.ServiceModel.Install 3.0.0.0 System.ServiceModel 3.0.0.0 System.Runtime.Serialization 3.0.0.0 System.IO.Log 3.0.0.0 System.IdentityModel 3.0.0.0 SysmonLog SpoolerCtrs Software Restriction Policies Software Installation ServiceModel Audit 3.0.0.0 SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Office Software Protection Platform Service Oakley nview NVIDIA OpenGL Driver ntbackup NeroCheck NDP1.1sp1-KB979906-X86 NDP1.1sp1-KB953297-X86 NDP1.1sp1-KB2656370-X86 NDP1.1sp1-KB2656353-X86 NDP1.1sp1-KB2572067-X86 NDP1.1sp1-KB2416447-X86 MSSQLSERVER/MSDE MSSOAP MSSHA MsiInstaller MSDTC Client MSDTC MSDMine
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\Userinit]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\Userinit]
"EventMessageFile"="%SystemRoot%\System32\userinit.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Control\Nls\MUILanguages\RCV2\userinit.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\Eventlog\Application]
"Sources"="WSH WMIAdapter WMI.NET Provider Extension WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSTO 4.0 VSSetup VSS VBRuntime Userinit Userenv UploadM Turbine Network Service Turbine Message Service System.ServiceModel.Install 3.0.0.0 System.ServiceModel 3.0.0.0 System.Runtime.Serialization 3.0.0.0 System.IO.Log 3.0.0.0 System.IdentityModel 3.0.0.0 SysmonLog SpoolerCtrs Software Restriction Policies Software Installation ServiceModel Audit 3.0.0.0 SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Office Software Protection Platform Service Oakley nview NVIDIA OpenGL Driver ntbackup NeroCheck NDP1.1sp1-KB979906-X86 NDP1.1sp1-KB953297-X86 NDP1.1sp1-KB2656370-X86 NDP1.1sp1-KB2656353-X86 NDP1.1sp1-KB2572067-X86 NDP1.1sp1-KB2416447-X86 MSSQLSERVER/MSDE MSSOAP MSSHA MsiInstaller MSDTC Client MSDTC MSDMine
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\Eventlog\Application\Userinit]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\Eventlog\Application\Userinit]
"EventMessageFile"="%SystemRoot%\System32\userinit.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\Nls\MUILanguages\RCV2\userinit.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\Eventlog\Application]
"Sources"="WSH WMIAdapter WMI.NET Provider Extension WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSTO 4.0 VSSetup VSS VBRuntime Userinit Userenv UploadM Turbine Network Service Turbine Message Service System.ServiceModel.Install 3.0.0.0 System.ServiceModel 3.0.0.0 System.Runtime.Serialization 3.0.0.0 System.IO.Log 3.0.0.0 System.IdentityModel 3.0.0.0 SysmonLog SpoolerCtrs Software Restriction Policies Software Installation ServiceModel Audit 3.0.0.0 SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Office Software Protection Platform Service Oakley nview NVIDIA OpenGL Driver ntbackup NeroCheck NDP1.1sp1-KB979906-X86 NDP1.1sp1-KB953297-X86 NDP1.1sp1-KB2656370-X86 NDP1.1sp1-KB2656353-X86 NDP1.1sp1-KB2572067-X86 NDP1.1sp1-KB2416447-X86 MSSQLSERVER/MSDE MSSOAP MSSHA MsiInstaller MSDTC Client MSDTC MSDMine
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\Eventlog\Application\Userinit]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\Eventlog\Application\Userinit]
"EventMessageFile"="%SystemRoot%\System32\userinit.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\userinit.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application]
"Sources"="WSH WMIAdapter WMI.NET Provider Extension WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSTO 4.0 VSSetup VSS VBRuntime Userinit Userenv UploadM Turbine Network Service Turbine Message Service System.ServiceModel.Install 3.0.0.0 System.ServiceModel 3.0.0.0 System.Runtime.Serialization 3.0.0.0 System.IO.Log 3.0.0.0 System.IdentityModel 3.0.0.0 SysmonLog SpoolerCtrs Software Restriction Policies Software Installation ServiceModel Audit 3.0.0.0 SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Office Software Protection Platform Service Oakley nview NVIDIA OpenGL Driver ntbackup NeroCheck NDP1.1sp1-KB979906-X86 NDP1.1sp1-KB953297-X86 NDP1.1sp1-KB2656370-X86 NDP1.1sp1-KB2656353-X86 NDP1.1sp1-KB2572067-X86 NDP1.1sp1-KB2416447-X86 MSSQLSERVER/MSDE MSSOAP MSSHA MsiInstaller MSDTC Client MSDTC MSD
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Userinit]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Userinit]
"EventMessageFile"="%SystemRoot%\System32\userinit.exe"
[HKEY_USERS\S-1-5-21-1708537768-1482476501-839522115-1004\Software\Microsoft\Office\Common\UserInfo]
"UserInitials"="k"

-= EOF =-
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-27 10:48:53
-----------------------------
10:48:53.360 OS Version: Windows 5.1.2600 Service Pack 3
10:48:53.360 Number of processors: 2 586 0xF0B
10:48:53.360 ComputerName: CATACOMB UserName: karl
10:48:54.220 Initialize success
10:48:54.298 AVAST engine defs: 12062700
10:49:38.345 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
10:49:38.345 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-10 Size: 476938MB BusType: 3
10:49:38.345 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
10:49:38.345 Disk 1 Vendor: WDC_WD2000JD-00HBB0 08.02D08 Size: 190782MB BusType: 3
10:49:38.360 Disk 1 MBR read successfully
10:49:38.360 Disk 1 MBR scan
10:49:38.470 Disk 1 Windows XP default MBR code
10:49:38.470 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 190740 MB offset 63
10:49:38.470 Disk 1 scanning sectors +390636540
10:49:38.563 Disk 1 scanning E:\WINDOWS\system32\drivers
10:49:45.204 Service scanning
10:49:54.923 Modules scanning
10:50:12.704 Disk 1 trace - called modules:
10:50:12.704 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys pciide.sys PCIIDEX.SYS
10:50:12.704 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a99cab8]
10:50:12.704 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000075[0x8a9abf18]
10:50:12.704 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-c[0x8a9b8d98]
10:50:12.704 \Driver\atapi[0x8a9de738] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xb80c98b4]
10:50:13.501 AVAST engine scan E:\WINDOWS
10:50:31.454 AVAST engine scan E:\WINDOWS\system32
10:52:40.407 AVAST engine scan E:\WINDOWS\system32\drivers
10:52:56.282 AVAST engine scan E:\Documents and Settings\karl
10:56:32.798 File: E:\Documents and Settings\karl\Local Settings\Application Data\qqeymqug\ywvlwqew.exe.vir **INFECTED** Win32:Malware-gen
10:56:36.329 File: E:\Documents and Settings\karl\Local Settings\Temp\qctgysgdmdcexanm.exe **INFECTED** Win32:Malware-gen
11:05:39.235 Disk 1 MBR has been saved successfully to "E:\Documents and Settings\karl\Desktop\MBR.dat"
11:05:39.251 The log file has been saved successfully to "E:\Documents and Settings\karl\Desktop\aswMBR.txt"


And I cant seem to open the MBR.dat..... so I cant post it here.
 
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.27.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
karl :: CATACOMB [administrator]

Protection: Enabled

27/06/2012 12:01:01
mbam-log-2012-06-27 (13-44-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217385
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Hi Baydon,

I'm sorry to say I have bad news for you. You have been infected with a file infector which are virtually impossible to clear up. You can read more about it below.


Ramnit warning

I'm afraid I have very bad news for you, unfortunately One or more of the identified infections is Win32/Ramnit.A

This infection has really become quit nasty and dangerous.
The problem is that the damage caused by this infection really makes a PC unreliable and untrustworthy. PE file infectors like Ramnit can infect all executable files (DLL, EXE, SCR....and many more also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors, could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.
In many cases the infected files (which could number in the thousands) cannot be disinfected properly by scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

Because Ramnit is also a Trojan Backdoor you are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

There is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired.
In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to Reformat your computer and Reinstall windows..

Further reading:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.
 
Hi Maxi,

Cant say your dianosis pleases me but massive thanks for all your help.

I'm a bit concerned about backing up my data before a reinstall, wont the virus be backed up too?

Karl
 
Hi Baydon, Sorry again for the bad news.

Backing up data should be fine, but not programs, executables, or Windows files.

I would advise you to back up the data to a external hard drive, then when you have reinstalled windows and installed an Anti-virus and maybe Malwarebytes, scan the external drive. If it is clear you should be good to go.

If you have any more questions feel free to ask.

Regards maxi
 
Hi Karl,

Yes its possible but the drive that is infected needs to be formatted no matter if you use it as a slave or not. If you don't format the drive it will infect anything you connect it to(ie: your new drive.)

Regards maxi :red:
 
You must log in or register to reply here.
Back
Top