Infection with Multiple Virus?

[khilen]

My computer seemed to be infected with virus and hence i ran KIS 2010 with all settings set to highest.

A Number of files were reported to be infected with the following virus:-

(a) Packed.Win32.Katusha.n,
(b) Trojan-Downloader.Win32.CodecPack.mgs
(c) Trojan-Downloader.Win32.CodecPack.mgo
(d) Trojan-Downloader.Win32.CodecPack.mgr

I have not been able to open "task manager", to see what is running in the memory by pressing alt+ctrl+del. Every time this was done the screen with multiple option would show "Lock Computer", "Log off"... "Task Manager" and "Cancel". When i would select "Task Manager" a pop up of KIS 2010 would open giving notification saying

"Denied: http://hттp://0-1-0-0-1-0-0-0-1-0-1-...fo/VERSION.TXT (analysis according to the base of suspicious web addresses) WINLOGON.EXE http://hттp://0-1-0-0-1-0-0-0-1-0-1-...fo/VERSION.TXT".

Also the home page on IE was changed to www.nuevaq.fm.

Also a notification on KIS 2010 showed,

"Denied: Trojan-Downloader.Java.Agent.au Java(TM) Platform SE binary hттp://www.nuevaq.fm/link.jar/Inicio.class "

and

"Denied: HEUR:Exploit.Script.Generic Internet Explorer hттp://www.nuevaq.fm/java0day_E.js//java0day_E"

Every time i would open IE and try to go to kaspersky.com website it would automatically close the internet explorer.

I am unable to use "Google Chrome".

After updating the signatures in safe mode when KIS was run, with all settings set to the maximum, it deleted a number of files. It gave certain notification like that special process of removal will be followed and then computer will be restarted, this happened twice. After the scan is completed and when repeat scan was done after restarting in normal mode and safe mode no new virus are detected, but i keep facing the following problems:-

(1) The home page of the Internet Explorer automatically changes to "www.nuevaq.fm" every time the computer is restarted.

(2) I am not able to start system restore, i am not able to start "Task Manager" by selecting this option by pressing alt+ crtl + del or by right clicking on the task bar and selecting task manager from the option list.

(3) I am not able to use "Google Chrome"

(4) Not able to use the "cmd" function from "Run" on the Start menu to open command window.

I have downloaded the Kaspersky Virus Removal Tool and am running it currently in the "safe mode", with all settings set to the highest level.

In the meanwhile i am attaching the avptool_sysinfo.zip to manually remove the virus with your help.

I feel that the computer is still infected with virus, i will greatly appreciate all the help that you can provide to get rid of this virus and get my cmputer running normally.

Please advise what i should do as soon as possible.

Thank you & Regards,
Khilen

[Rene-gad]

Close/unload all the programs excepted AVZ and Internet Explorer

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore


- Execute following script in Manual Healing

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\twunk_16.exe','');
 QuarantineFile('C:\WINDOWS\system32\pwdmon.dll','');
 QuarantineFile('C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe','');
 QuarantineFile('C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe','');
 QuarantineFile('C:\WINDOWS\system32\PsaSrv.exe','');
 QuarantineFile('C:\Documents and Settings\Khilen Shah\Khilen Shah1\winlogon.exe','');
 QuarantineFile('C:\WINDOWS\system32\7sGQbATX.exe','');
 DeleteFile('C:\WINDOWS\system32\7sGQbATX.exe');
 DeleteFile('C:\Documents and Settings\Khilen Shah\Khilen Shah1\winlogon.exe');
 DeleteFile('C:\WINDOWS\twunk_16.exe');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','NVIDIA Media Center Library');
 RegKeyParamDel('HKEY_USERS','S-1-5-21-2162815159-2298460070-1374140739-1005\Software\Microsoft\Windows\CurrentVersion\Run','NVIDIA Media Center Library');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot:
- Execute following script in Manual Healing

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');    
end.

- Upload the C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=83856
- Make a new log file.
- Make a log file of Malwarebytes Antimalware: http://www.malwarebytes.org/mbam.php
- Attach a new log to your new post..