Been hit with a virus and heuristic virus

Hello, 

System I use is 2005 Windows XP Media edition, service pack 3, Dell Inspiron 6000

I've been hit with 2 viruses about 3 weeks ago, simultaneously. First is a backdoor.Tidserv virus, security level: High and

Second, suspicious.vundo.2, heuristic virus, security level: high

 

I didn't notice them until I did a scan a week later when I scanned it through Norton 360.

 

What has affected it:

well I noticed my PowerISO was not functioning properly so I uninstalled...(big mistake)

And..

One thing I do notice is that it has infected my Internet Explorer and Firefox search engine by redirecting me to different sites, defragment does not work, any spyware/malware programs such as spybot search and destroy / HIjackThis / will not open

 

I haven't really done anything other than continue to upgrade Norton 360 through LiveUpdate and continuous scans and shut down through cold boots.

I really want to get rid of this viruses immediately and yet I did a lot of research on these and they are very very hard to remove. I need help!!

Hi Bazookajoe01:

 

There is a distinct possibility that you have more than one rootkit.  They can be extremely difficult ot remove.  Please begin by downloading GMER to see if we can get more than one log for cross-checks;

 

http://www.gmer.net/

 

Please make sure all the boxes are checked.  Scan Only.  Do not attempt to fix anything.  There is sometimes an order of removal that is important to protect your system.

 

You will be able to post the log using the "add attachments" link under the orange post button.

 

Also download and run SysProt.  You will need to go into Norton and turn auto protect off or it will remove the scanner.

 

http://homepages.slingshot.co.nz/~crutches/SysProt

 

Click on report or log, check all of the boxes and HD. attach the log the same way.

 

Quads will have a look when the logs are available. He is the guru responsible  for this type of work.

I would try the Norton Recovery Disk.  If you have N360 v3 - boxed version you can use the CD as a bootable recovery disk.  Just turn off the e PC,

insert the cd and boot up.  it will boot from the cd - bypassing any rootkits or early loading viruses you may have.  You will need your activation code

to finish the process.

 

If you don't have the cd you can download an ISO of it and burn a recovery cd.

Themanwithaplan:

 

That has been tried with some success on a couple of rootkits, if Symantec has the definitions for them, and if the user is able to update using the internet, and if the user has v3.  Some of us have spent 8 pages of posts trying to get the user updated, connected, downloaded, burned as an ISO, only to have the removal fail.

 

We find it is much better to first determine what rootkit variant we are dealing with, and then proceed with remediation.

~delphinium

 

Hello

its me again. I've managed to scan with the GMER program you provided. It took forever since I performed a full computer scan but was able to identify the culprit. It turns out the two viruses I mentioned before was already quarantined by Norton 360 when I did the scan 3 weeks ago. Hopefully there is a way to remove those but that will be on another post. GMER has manage to identify MSIVXserv.sys, and you'll see in the log file, which I did some research and turns out to be the trojan effecting my web browser and other programs like defragment and spyware/malware programs to not operate. 

 

Here is my log file and hopefully you and other experts can provide a solution to removing this nasty trojan out of my system.

Thanks again.

 

 

~Bazookajoe01

 

 

Just to let you know that we haven’t forgotten you.  Time zones do slow us down a bit, and there are a fair number of rootkits at the moment.  Quads will be along later in the day.

Hi

 

Now  (read carefully) If you have Spybot S&D uninstall it.

 

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

 

1. Download Avenger to your desktop,

 

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

 

3. In the "Input script here:" copy and paste the script between the lines

 


Drivers to disable:

MSIVXserv.sys

 

Drivers to delete:

MSIVXserv.sys

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\System32\drivers\MSIVXdsltttbyqypnjfvruinokudlfqfqnvwy.sys

C:\WINDOWS\System32\MSIVXjfbgdranbmotwwdqidifaqduofyqbpwt.dll

C:\WINDOWS\System32\MSIVXjgmddabkstblnelfyiorlqaacbnaxvoc.dll 

C:\WINDOWS\System32\MSIVXcount

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\MSIVXserv.sys 

HKEY_LOCAL_MACHINE\SOFTWARE\MSIVX 


 

Here is a screenshot (script updated since shot)

 

Avenger.jpg

 

Make sure the "Automatically disable any rootkits found" is NOT selected

 

4. Click "Execute"

 

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.  C:\Avenger.txt

 

5. Restart the PC again, then see if you can install  Update and run Malwarebytes http://www.filehippo.com/download_malwarebytes_anti_malware/

 

Quads 

Quick quesiton..

 

Do I do this in safe mode or just regular?

Normal mode

 

 

Well everything seems to be running in order. Malwarebytes found and deleted 28 malware in my system. Rebooted. Updating security patches from Windows Updates, Norton 360 LiveUpdate, Malwarebytes Update and so forth.

 

One other question...can I reinstall spybot S&D? or just leave it the way I have now?

 

Other than that, I really thank you for helping me out. Without this and your expertise I would have end up going to someone else and actually end up paying someone to remove that trojan I had. I really appreciate it and of course I'll definitely ask more questions if I experience any problems like this again. I'll go ahead and put in my logs for avenger and malware just in case you need it and study it for future referrence. Thanks again.

 

~bazookajoe01