2000++ Trojan & virus infection, whar else should I do?

[Raphael]

First I would like to thanks every one in this forum, that give me enough knowledge so far to understand about computing better.

Early this week I help my friend to repair her PC, she try to bring it to the computer store with computer technician (3 different place), they all say the only way is to format the PC.

And she called me to ask if I know anyone who can help, she has a lot of important data, so formating the PC is impossible, so I ask the technician at my office with the same recommendation, format the PC.

So I decided to have a try my self, the first the symptoms that I encounter are, the PC are able to login, but hangs every time it's enter the desktop, some times it hangs at the windows welcome screen. So I try to enter save mode and set the PC to start only with the windows basic component & it's manage to fix the hangs at start-up, but when trying to boot normally the hangs problem comes back again, so I try to select the startup program one by one till I manage to fix the hanging at start up.

Then, I try to uninstall the antivirus program on the PC which is already expired about a month or so (norton 360) and install Avira, strangely the guard is not active & can not be activated. but since it's able to scan, so I ran a scan but, it's detect absolutely nothing, which is strange because my Avast USB Antivirus, detect a lot's of virus every time I plug it on. I try other program such as Bit Defender & Kaspersky, ESET, Vipre, & Hitman Pro since I feel the same horor feeling like Hellnoir feels when he writes on the blog, but the result is the same, can't turn of the real-time protection (some resulting BSOD if I wasn't mistaken, blue screen with some said dumping memory) and the scan result was ZERO.
Even with Avast, which is strange, because the Avast USB Antivirus which install on my USB detects a lot over & over again and wouldn't allow me to run my USB on the infected PC (I want to try to install Super Anti Spyware portable & A-Squared portable from my USB).

After trying so many times, installing & uninstall various antivirus & malware program, I finally try MBAM, but at first I cannot install MBAM, so I follow the tutorial how to install MBAM in an infected PC that wouldn't allow to install the program, surprisingly after over 3 hour scanning with MBAM it detect 1408 infection (I turn off system restore before the scan).

here are some of the log :

Database version: 4186
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.2180

06/11/2010 2:22:51 PM
mbam-log-2010-06-11 (14-22-51).txt

Scan type: Full scan (C:\|D:\)
Objects scanned: 516420
Time elapsed: 3 hour(s),58 minute(s), 50 second(s)

Memory Processes Infected: 74
Memory Modules Infected: 3
Registry Keys Infected: 275
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 51
Files Infected: 1269
Total Infection successfully treated: 1408

Memory Processes Infected:
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

I didn't post the full log result because it's to long to post & has the user name (my friend name) on it, some of the infection are cause by conflicker, dropper & vundo.
After the scan, MBAM ask to reboot, than I ran a quick scan, which detect nothing, so I decided to install the KAV and run a scan, it manage to detect and remove 600+ virus, 30++ trojan, 200++Adware & 56 Riskware.

After that, I ran Hijack this and upload the result to hijackthis.de, and delete some of the key via Regedit.

Now the PC seem to be O.K, but since I'm no expert & do the amount of the infection, is there anything else I should do, or did I miss some thing that was I suppose to do. She's manage to backup all the important data now, so is it still necessary to format the PC?

Thank you all in advance for replying & sorry for posting such a long thread.

[INDRANIL]

Download HITMAN Pro install it & run scan and post update here.

[Raphael]

Just got home, if it's possible I will I install it tomorrow and post it. anything else should I do? is reformat necessary?

[INDRANIL]

Just got home, if it's possible I will I install it tomorrow and post it. anything else should I do? is reformat necessary?

no first you must install hitman pro and do a scan.

---------- Post added at 06:42 PM ---------- Previous post was at 06:41 PM ----------

one more thing you must post full mbam & HijackThis log.

[Odie]

I would love to know how she got infected with so many malware while an AV was installed. Personally I would have done a clean install once her important data was backed up, simply because at least one of those viruses almost certainly would have done some damage to the OS. Modifications to the registry or damage to system files isn't always noticeable right away and may come back to haunt you at a later stage.

[leofelix]

Download HITMAN Pro install it & run scan and post update here.

very good idea.

In order to repair some damages which could be still present please download and install Virus Effect Remover.

Tell me: are you able to reach WindowsUpdate or any Microsoft webpage?

If so, you should do Windowsupdate immediately and install the latest MS patches.

Please make sure you are using the latest Sun Java JRE,

(please do use Java Ra, to remove old Java versions completey)


the latest Adobe Flash Player

http://www.filehippo.com/download_flashplayer_ie/

http://www.filehippo.com/download_flashplayer_firefox/

and if you use Adobe Reader you must update to the latest version http://www.adobe.com/products/reader/ or you'd better to uninstall Adobe Reader and install an alternative software like SUMATRA PDF

[sujay]

Yes like Odie, I too believe a clean format is necessary here after necessary data backup. Because you never know what rootkit is hiding there. Please follow Indranil's instruction and install Hitman Pro. It will let you confirm that no more active viruses left there.
Also do a scan with Kaspersky rescue disk, as you installed KAV there.
I also suggest you do a complete backup of all drives, not only the system drive.

[LunarWolf]

From my experience, (your case sounds like mine)

You have to use a rescue CD. I recommend Kaspersky Rescue Disk.

After that, download Kaspersky Virus Removal Tool. Use high heuristics.

Then use Malwarebytes.

It should clean up pretty good to backup files. Then format.

[grr]

1. Do a Hitman pro scan as Indranil mentioned above. Additionally also download & scan using SAS portable.
2. If there is currently no antivirus or realtime disabled, do not attempt to connect to internet any further. However u require it for Hitman scan.
3. Install Avast Pro trial & get it's updated from here, and do a Full scan.
4. Clean all infections found till now
5. Backup the data as required
6. Format the PC

[Raphael]

I would love to know how she got infected with so many malware while an AV was installed. Personally I would have done a clean install once her important data was backed up, simply because at least one of those viruses almost certainly would have done some damage to the OS. Modifications to the registry or damage to system files isn't always noticeable right away and may come back to haunt you at a later stage.

I've been wondering about that my self, even I who download a lot of stuff from torrent and other P2P never been infected so horribly like that(that PC is just 1 and a half years old).
Yes, thanks for conforming, I do think a clean format & fresh install of the OS would be the best solution after reading some review about rootkit infection, cause I believe I see something saying rootkit when scanning with either MBAM or Kaspersky (couldn't remember which one)

I also suggest you do a complete backup of all drives, not only the system drive.

what's the different between the two? and how do I do that? (I read about how to back up the registry) She have the cd driver for all the hardware on that PC though, is it still necessary to back up all of those drives?

Tell me: are you able to reach WindowsUpdate or any Microsoft webpage?

Before the MBAM scan and remove, nope I was unable to reach & open any microsoft webpage.
After I finish scanning with all of the best security software that I know (Kaspersky, A-squared free, MBAM, SAS & even with Panda online scan), I was able to do so & do the update right away.
But since U ask about that, there is something funny that happens actually, these morning when I try to do the update, it said that active x was not installed, and after I install it and try to do the updates, I have to call microsoft, because somehow when trying to validate the windows, it was mark as not a genuine software (wonder how could it be), so we call microsoft, and they ask us to bring the PC to them & after quite a long process, they confirm that it's a genuine software so we are went back to her house & we are able to do the updates. Ooo... earlier before the updates, I open the host file (thanks to Paul review on the host file) I remember it has a lot of unnecessary/unknown stuff written on the host file.
so I deleted all accept the
127.0.0.1 localhost
hope that's the right one not to be deleted, isn't it? (cause that's is all I see when I open my host file from my PC at home)

Download HITMAN Pro install it & run scan and post update here.

I already install it before the MBAM shocking moment, it doesn't seems to do the job like the other virus software, so would it be any good now?

Ooo... what about combo fix? I read about it a few times in here and other blog, but since all say it's only to be use with the guidance of an expert, I haven't try it