Need Help With Serious Virus/Spyware Problem

[soccermiles77]

Okay. First off I'd like to thank those of you that took the time to read my problem and attempt to offer suggestions on how to fix this without reformatting my hard drive, as I have tried everything within my knowledge and can't get anything to work. Here's the situation:

Last night around midnight, I was about to turn my computer off for the night and go to bed when I noticed all of a sudden in my taskbar in the bottom right hand corner of my screen, a small, green, windows defender-like shield with a white check mark in the middle with the name "Antivirus Soft" appeared and displayed this message: "Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here to scan you computer. Your system might be at risk now." (Yes, the awkward grammar and misspelling of "your" in the second sentence was in this bubble that popped up, which raised my suspicion even more). Upon receiving this error message, I tried to run my Spybot S&D, which brought about another error message saying "Application cannot be executed. The file spybot.exe is infected. Do you want to activate your antivirus software now?".

After receiving these error messages, I tried to access the Task Manager to see if I could spot any odd-looking processes that were running, and nuke it from that route, but the same error message popped up and said my task manager was infected. It has proceded to give me the same error message for my VLC Media Player, Skype, as well as java.exe.

Every couple of minutes, another error box will pop up, also posing as a Windows Defender threat message. I was able to write down what the error box message said twice, and here they are.

First Time:
Attack From: 249.60.59, port 53701
Attacked Port: 3140
Threat: BankerFox.A

Second Time:
Attack From: 207.162.14.61, port 44664
Attacked Port: 19228
Threat: BankerFox.A

So far, I have tried running Spybot, using the Task Manager, and doing a System Restore, and all 3 attempts have failed. If you can help me at all, I would be GREATLY appreciative. Thank you very much for your time.

-Miles

[soccermiles77]

Another thing to note: I tried to run Windows in Safe Mode with Networking from the BIOS screen, and right as I logged on, it blue screened on me immediately.

[Darkstar]

http://www.malwarebytes.org/index.php

see if you can install this and run it

[soccermiles77]

I was able to download and install the Malwarebytes program, but when I tried to run it, it gave me the same infected file error that Skype, Task Manager, and java.exe had given me.

Any other suggestions?

[smack323]

have you tried to boot into safe mode and run the program? I had a similar problem with a friends machine. I ended up taking out the hard drive and connecting to another computer to run a virus scan on it... I am not sure if this is an option for you.

[soccermiles77]

I might be able to disconnect the hard drive and connect it to another computer, but I will try running Windows in safe mode without the networking option and try to run the program in a little while, and will post an update a little later.

[Major_A]

This malware has a specific name, can't remember it though. Basically it blocks all executable files from running, i.e. your software. Download and run Combofix if you can.
http://www.majorgeeks.com/Combofix_d6402.html
If you get things semi running be sure to check out the anti-spyware thread.
http://forums.legitreviews.com/about977.html

Open up msconfig and give us a list of what is in the Startup tab if you can.
Click Start-Run-type msconfig and press Enter. If this program is starting up then you might be able to disable it and run the programs to get rid of it.

[soccermiles77]

Major_A - I'm going to try your suggestion first, seems like that could work. I'll get back to you here in about 45 minutes after I see if I can access the startup in the run window

[soccermiles77]

Major_A:

I was able to start my computer in safe mode and use the start-run-msconfig function and found these following items in my STARTUP tab:

NVMixerTray
gnotify
qlu
NvCpl
nwiz
MSASCui
PDVDServ
Language
KHALMNPR
xInsIDE
xRaidSetup
KHALMNPR (again)
svehost
RTHDCPL
ALCMTR
NvMcTray
PWRISOVM
iTunesHelper
QTTask
qxpysftav
mssysmgr
TeaTimer
steam
ctfmon
GoogleToolbarNotifier
LocationFinder
msmsgs
nTuneCmd
btdna
uTorrent
Core
Skype
ICQ
aim
DTLite
qxpysftav

That's it. I'm currently running the scan of my computer in safe mode with my Spybot Search & Destroy, and I'm hoping this fixes the problem. Let me know if you see anything on that list of thigns in my STARTUP file that raise any alarms. Thanks for all your help.

[Major_A]

There are a few in there that look suspect, primarily this one.
svehost
Since you can scan in Safe Mode download and run Kaspersky's Virus Removal Tool.
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

[smack323]

dont forget about combofix major pointed out.. its been a lifesaver getting machines stable for me.

[soccermiles77]

Okay thank you both for your help, I will try all of this out later tonight abd keep you posted.

Also, I noticed this morning that even after running a scan of my computer in safe mode with spybot and clicking fix this problem, when I restarted my machine in normal Windows mode, the virus program appeared again. Would it help if I were to uncheck the box next to the "svehost" in the startup tab of my msconfig while in safe mode and trying to run windows normally?

[Major_A]

Not yet. If you uncheck it then the AV program may not pick it up. Better to leave it enabled while running the scans in Safe Mode.

[soccermiles77]

major_a,

I ran the Kaspersky's program, and it would freeze up at a certain point until one time when i got throuh it to where it said it was deleting files and now i try to start my computer up and right after the screen asking me hwether to put my comp on safe mode or not goes away, it BSOD's on me and restarts itself automatically.

What happened?!?!?

[KnightRid]

use malwarebytes and not spybot - I use spybot sometimes but malwarebytes find a lot more.

Start in safe mode without networking and run malwarebytes.

Mike

[Major_A]

So is it starting at all in Safe Mode?

[soccermiles77]

It wasn't last night. Not in any of the safe modes (networking, etc). I'll try it here in a few minutes

[Major_A]

You might have to do a repair install of you OS now. It sounds like the virus attacked some OS files and when it cleaned them it screwed up your OS install.

[soccermiles77]

would repair install reformat my hard drive?

[Major_A]

Nope, it's supposed to just repair the broken OS files.