Solved w32/nuwar.sys virus

Excellent! Now do the Kaspersky scan.

 

Out of all that, we only need to get two more files killed.

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\SYSTEM32\nusrmgr.exe 	
C:\WINDOWS\SYSTEM32\sjnrihou.exe 	

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.


Go to the Control Panel, Add/Remove Programs and uninstall all Java (JRE) versions. Then download and install the latest version from here.

Reboot.

Download GMER, saving it to the desktop. Then extract it to it's own folder.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

 

Yes, it may be too big. There's a 20,000 character per post limit. Try putting it into two or more posts.

 

Looks great!

Let's take a look at a few security related registry keys that may have been affected. Copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: peek.bat
Save as type: All Files (*.*)

Double click the file to run it. When it completes it will open peek.txt
Post the contents of that log.

 

Looks to be in order.

Please zip the C:\Qoobox folder, then upload the zip to my submission channel. Leave a link back to this topic.

Delete all of the following tools we have used, and the files/folders they created.

C:\Deckard
C:\QOOBOX
C:\SDFix
C:\VundoFix Backups
C:\WINDOWS\nircmd.exe
combofix.exe
dss.exe
Gmer.exe
sdfix.exe
vundofix.exe
WinsockFix
all combofix, sdfix and vundofix logs and scripts
All bat files we created and their logs.
Open the HijackThis backups folder and delete everything.


Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot.

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49


I encourage you to let the IT staff on the domain know about this, and maybe even give them a link to this topic. Some of the infections are quite capable of stealing passwords and logon credentials, infecting network shares, etc. They might want to reset your logon credentials at least.

You should probably change passwords for any online banking or other secure transactions you do on that computer as well.

Surf safe!