Yesterday my computer was used by my sister to back up her USB (which had been connected previously to the school network where she works). Since then, my system has been well and truly buggered, so it looks like I've picked up a virus from it.

When loading my system in either safe mode or nornal mode, the start bar and desktop icons do not appear. The desktop background will load, but nothing else. During this time however I will get alerts from Zonealarm asking for files with gobbledegook names like "Gefakoolo" to access the internet. (Obviously, I denied access). All I am able to do is use Ctrl+Alt+Del to bring up the task manager and work from there.

In safe mode, I managed to use Avast! Antivirus, Malwarebytes and Spybot to do complete system scans which returned nothing. In MSCONFIG however, I identified a number of .exe files using the gobblegook names hiding in my Local Files/Temp directory that had never been on my startup list before. I tracked down and deleted all the files I could in there, but still the system remains buggered, and the files still appear on the startup list. Some of these files are things like "IGwqNKmplw", "RTHDCPL" and "enamikuxiyayidad".

I am truly unsure as to what to do, I'm typing this on my laptop right now, with the infected computer next to me, I am still working in safe mode and the system is disconnected from the internet.

If anyone has any ideas as how to remove this menace from my system I will give you Tasmania as a reward.

One solution:

1. Download http://unetbootin.sourceforge.net/ to the infected computer.
2. Run UNetbootin.
3. Have UNetbootin download Kaspersky Rescue Disk (10Live) and have it install to your C:\ drive. This will modify your Windows Boot.ini file so that you can choose to run Kaspersky Rescue Disk (it might be labeled UNetbootin) instead of Windows the next time you boot up your machine (though Windows is still default).
4. Run virus scans and such from Kaspersky.
5. Boot back into Windows.
6. Profit.

I might give that a try once I'm finished with my current scan. Afterwards is it possible to remove UNetbootin and simply run windows automatically?

I managed to load the desktop normally and have full access to my files. However it took about 4mins of waiting for the desktop icons to actually appear after the background did. At the moment I'm running a Windows Malicious Software Removal Tool scan just to see if it picks up anything.

Well Windows Malicious Software Removal Trool found nothing, but lo and behold, all staff from the school today were informed that the school system may have a virus. :rolleyes:

Have you tried using something like AVG instead of Avast? It may be that your current AV software has been corrupted.

Well I uninstalled and re-installed both Malwarebytes and Avast! with the latest versions. Both began immediatly to pick up a [censored]load of problems. I've done scans with both removing all the problems they find. Things havent improved though. I can now load safemode fine, but normal mode just gets me stuck at the desktop background completely, even unable to actually open Task manager.

Ok, I've tried a complete clean boot, but the system is still completely stuffed. The only processes running are things like explorer, taskmanager, system and a load of svchosts. The virus is still running at this moment however as loading firefox resulted in me being sent to a pormographic website. Is it possible that the virus is imbeded and hiding in a svchost process?

The problem is identifying what type of virus it is so that you can remove it. If you feel "Comfortable" you could try to download Hi-Jack this and use it to see every single thing currently going on then delete what you want. However you have to becareful because it can very well fubar your system beyond what's happening right now if you aren't careful. Had a particularly nasty virus on my laptop called Vundoo and had a Microsoft tech use that to remove the stuff from my system.

I think you need to contemplate the notion of wiping the harddrive and reinstalling windows.

If you don't have a backup from before the virus got injected, you may well be hosed.

Works every time, and I concur. Once infected, reinstalling is the only way to be 100% there are no "bytes" left behind in my opinion. 99% just doesn't cut it with me when it comes to virus/trojans.

With everything you have done, without success, my vote is this is the only option remaining. At least the only one I'd be comfy with if it were my rig.

... or you could just follow my advice and not have to reformat your system.

Try Reneer's solution. If that doesn't work, http://www.bleepingcomputer.com/combofix/how-to-use-combofix time.

Still no guarantee it was 100% successful.

Once corrupted, I would not trust that install, ever. (Not that I have ever been infected, but if I was it would be a full reinstall for me.)

I shop online with this rig, visit my bank, and I just wouldn't risk it personally. :shrug:

Sure it's a PITA to do, but the piece of mind is well worth it!

While I generally agree that going your way is worth a shot, there comes a point when it is no longer worth it to salvage your system. When a virus is nasty, it'll corrupt Windows files, so even after the infection is gone, your system will never be back to its old performance without serious work, more work than a backup, reformat, and reinstall.

I'm 100% with Wolfpup (EDIT: and DEFRON) here...at the school where I work, if a computer has been infected for more than a couple of hours (that we think), we reinstall...of course, they're all Domain-based, so it's not so much of an issue...

In all honesty, whilst Reneer's suggestion is good, it seems to have been infected for a while...even if you do get rid of the Virus itself, there's no telling what it's done to your system files...maybe install a rootkit? The only sure-fire way after this length of time will be a new build of Windows...it may seem like an unnecessary 2hr time investment, but it'll save you time in the long run...you'll possibly be back here in a couple of months asking the same question

If you're really against a format and reinstallation; you have the original culprit (you're sisters USB). The virus might be identifiable from there. However, as Defron points out, even disabling the virus doesn't fix potentially corrupt windows files. The only real solution is to wipe the drive and reinstall windows.

I agree with the reformat - I wasn't aware of the possibly-corrupt Windows files. In that sort of case, a reformat would be best.

I had a similiar problem just before christmas. I got a virus calle antivir solution pro. After I managed to get rid of most it, my computer delevoped computer cancer played all sorts of tricks. My favourite being an infinite loop of restarts then when it got bored of that it died while not loading past "windows XP is loading". I'm going to burn my old harddrive because it is just a zombie now.

I'm trying to avoid having to reformat, but it looks like that may well be the only option. Once again my AV and the like software started telling me there was nothing wrong on my system. A reinstall of them brought back the dozens of alerts. Also, I'm getting virus alerts from svchost, and explorer.exe itself seems to be getting corrupted. Looks like Windows itself is well and truly being buggered doesnt it?

Sure sounds like it. You probably should reformat if your system is that messed up. Might even be a good time to upgrade if you aren't already running Windows 7.

Or, you know, if you don't play games that much, you could always try out Linux...

Heh, I use this machine for a lot of gaming, so I'd rather be able to simply install and run them straight away.

A quick question, I'm trying to figure out how to safetly copy some files over to a secure storage device without the virus spreading. Would booting the computer in safe mode and then connecting an external USB drive provide me a means to copy over needed files without the risk of the virus spreading as well?

It can't be said with 100% certainty what is definitively safe to copy and what isn't without knowing the specifics of the virus. Some viruses infect PDF and DOC files, for example. Generally just avoid copying over any BAT, VBS, EXE, MSI, COM, INF, and SYS files and you should be good. Any non-executable file is generally safe (PDF and DOC aren't necessarily because they both do have file execution/scripting specifications)

On a related note, here's http://www.youtube.com/watch?v=54XYqsf4JEY

Oh, and I always do copies of infected machines from a linux live CD. Chances of the virus actively infecting the external drive (the autorun.inf file in particular) are small, but a definite possibility.

Edit: actually, considering how the virus got on your system (infected USB), I'd say that might be a distinct possibility in your case, so I definitely recommend a live CD for file copying.

Short answer: No.

Long answer: The virus may still be able to spread in Safe Mode, or it may be contained in files that you are copying over. Unless you really need those files, I would simply start from scratch on most things (and take DEFRON's suggestions into account).

I'd just like to say thanks to everyone here for the help and advice that was given. Using a Live CD and help from a friend I was able to retrieve the individual files I didnt want to lose and reformat my system. Everything is running fast and squeaky clean

Thanks all!

Glad to see you got it sorted.

Twas my pleasure.

Good job. I'm glad you were able to save your data as well. :celebration: