[tictocsunny]

A trojan was detected-----Generic!atr, located at c:autorun.inf.
Mcafee keeps saying they deleted it, but it just keeps poppinge
up over and over again.

In almost every thread or forum it says to downlaod a viruse
scanner/remover but this trojan does not allow me to access
any files or programs whatsoever except for Myc Document,
My Pictures, etc. I have tried rebooting in safe made, but nothing works.

Should I get Professional help?

[NPB-XK]

That Trojan is tricky. It can variate its little details. So what you find in google or whatever may be inaccurate.
Anti-whatever softwares are not always the best. WE, humans, are the best.
( Only if we know what we're doing )

Anyway...
Let's start slowly from the root and let's guess what it's doing and where it's located.

Can you go to C:\ and find this "autorun.inf"?
If not, go to "Tools", "Folder Options", "View", check "Show hidden files and folders", uncheck "Hide extensions for known file types" <--- This will help you to find the specific files more easily, uncheck "Hide protected operating system files (Recommended)". Click "Apply" and look at your C:\ folder. Can you see autorun.inf?

autorun.inf shouldn't exist in the first place [it's often created from virus] but do not delete it yet. This will give us some clue.
Open that file (autorun.inf) with NOTEPAD and press CTRL+A to select all, and CTRL+C to copy them. Paste the result here. I wanna know it and analyze it quickly. I'll help you out with the next step. I can't give you any further steps because I need you to tell me what's in autorun.inf.

[tictocsunny]

first off thank you but,
my tools doesnt show the Folder Options button

mine only says:
Map Network Drive
Disconnect Network Drive
Synchronize

[NPB-XK]

Haha... Good to know. It's part of what the virus is doing. A pretty rookie move by the creator of the virus. Or someone who modified a part of its code. He/She obviously doesn't want you to look for the hidden autorun.inf.

You'll have two ways to make this button show up.

1st is to get through gpedit.
Press Win+R and type:
gpedit.msc
and press Enter.
Inside of it, under "User Configuration", click + next to:
"Windows Components", then "Administrative Templates".
Click on "Windows Explorer" folder inside of it.
"Removes the Folder Options blah blah..." Can you see it? Double click it and is it already "Not Configured"? If not, check "Not Configured" and click Apply and then Ok.

If the 1st step doesn't work, you'll have to get through the sensible brain of Windows. Your registry.
Press Win+R and type:
regedit
and press Enter.
Click + next to each folder as followed:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

In Explorer folder, on the right, you MUST see:
"NoFolderOptions"=dword:0000000 <--- Value Data
There's no way such a rookie virus trick could fool me and you there.
Delete it. (Right-Click and Delete).
You gotta be able to see the folder options you were looking for now. Otherwise, restart your PC.
Or instead of restarting your PC if you're afraid it's gonna take too long, you can CTRL+ALT+DEL and end Explorer.exe process in Processes tab. Then you'll see that you'll only see the wallpaper of your desktop and nothing else. Go to File and New Task (Run). Type explorer.exe and press Enter. Close the Task Manager and there you go.

[tictocsunny]

I have already tried using the run command but
still no luck accesing it.

[NPB-XK]

Is your CTRL+ALT+DEL working?
It should open a task manager.
In task manager, you can go to "File" and "New Task (Run)".
Type regedit there and press enter.

If you still can't, tell me. We'll have to go through the hard way, attempting to pass by the cmd console first. The trick isn't considered "Rookie" after all... I take back what I said... Hahaha.
Anyway, tell me if running regedit through CTRL+ALT+DEL works.

[tictocsunny]

hmmm I will try in like an hour, It keeps freezing.
It did this yesterday and was fine after a while.

[NPB-XK]

Come to think of it, we won't need to do the hard way. [CMD console].
You would have too much to remember and type... It's reserved for professionals...
There's still a very high hope though. Here's what we're gonna do.
We won't use any "run" (if the one in Task Manager also doesn't work).
We'll go manually find those regedit and gpedit.msc.
"We won't take the plane. We'll go by foot." Ok that's pretty random.

Anyway, the path to open regedit.exe is:
C:\WINDOWS\

As for gpedit.msc, you can find it here:
C:\WINDOWS\system32

That virus has caused so much mess... Pretty tiring to fix all of them.
What's important is to find where its heart is running. Virus can have multiple "hearts" installed in multiple places. But there's always a way to find them. I'm sure that one has multiple hearts. When you delete one, it works on another heart and it may even re-generate the heart you have deleted. Annoying. Once we destroy its heart, we'll delete autorun.inf as well. And it's gonna be time to really fix all the mess. At the moment, we're aiming at what autorun.inf may have for us. It contains some important clues. Maybe even the secret of where the hearts are located.

See you around.

[tictocsunny]

mmmmmkay hehe :]
*deep breath*
and so right now I am currently at C:\WINDOWS\system32

[NPB-XK]

mmmmmkay hehe :]
*deep breath*
and so right now I am currently at C:\WINDOWS\system32

Well since there seems to be so many things you can't do, can you go back to:
C:\WINDOWS\
?
And find regedit.exe

Tell me if you can find it. Also, can you open it?
If yes, I'll tell you next steps.

[tictocsunny]

more bad news.

this popped up. well i coudnt screen cap it
soo i just changed the words on a different picture

[NPB-XK]

mmmHMMmmm...
I'll try to look for some solutions without sending you any link to download a software. I prefer fixing manually. I'll put this aside just for a while.

Meanwhile, can you go to:
C:\WINDOWS\system32

And find regedt32.exe ? Can you open that one?
In the same folder, how about opening gpedit.msc? (I know, there are soooo many stuff in system32 folder... gotta search carefully)...
Tell me if it works...
If gpedit.msc can't even open, then "dang!"... That virus is tougher than I think. There's a way to fix it though.

[tictocsunny]

same exact response as before.
that error pops on any file I click

[AzizOnDeck]

My turn to take control of this! AHEM xD Just kidding

Questions:
(Please answer in full sentences)

When did the problem start occurring?

What was the last activity done before the virus was triggered?

Have you tried any System Restores, or does the virus disallow that?

Absolutely no programs can be run or just downloaded programs?

[tictocsunny]

My turn to take control of this! AHEM xD Just kidding

Questions:
(Please answer in full sentences)

When did the problem start occurring?

What was the last activity done before the virus was triggered?

Have you tried any System Restores, or does the virus disallow that?

Absolutely no programs can be run or just downloaded programs?

1. It started 3 days ago.

2. I was watching asian dramas/variety shows as usual
on either youtube.com or aznv.tv

3.The virus disallows system restores.

4.No programs can run whatsoever. I can see them
but an error keeps popping up saying that there are no
more files.

[AzizOnDeck]

What I recommend doing in this case if that doesn't interfere with NPB-XK's solution to the problem, is if possible download a bootable virus scanner and run it when your system boots up... and pray to a higher power that it works and hopefully fixes the problem, if not at least fixes some parts of it... I'm guessing you have access to another PC? If so, try this out

http://www.avast.com/eng/avast_bart_cd.html

You, unfortunately do have to fill out a form and in return you will receive an email that will carry you on further with the BART CD that will allow you to use it for a full 14 days.

[NPB-XK]

Since that virus is giving me a headache from your result, I went to my computer lab and purposely tried to find the same virus and infected myself with it. Gotta analyze it myself.
Right after the infection:
My sent/upload package went up fast as hell! I had to disconnect that PC.
Really, I was underestimating the power and speed of execution of that trojan.
Since I don't know where the whole virus is located and it won't allow me to use any tool to find it, there's not a chance for me to eliminate that virus manually by myself. I gotta do some research on google or even download some software which can find it and eliminate it for me.
And as for the damage caused by the virus, if I create a fresh .reg file (from another PC) to try to fix the registry in that infected PC, it won't open the .reg file either.

After further research, there's no way we can solve that problem in Windows OS.
Yes, the virus may be eliminated or partially eliminated (since autorun is still there but if the core of the virus is destroyed/eliminated, autorun becomes useless).
With those softwares and steps you've followed to eliminate the virus, it's possible that you succeeded in eliminating it.
But the reason why you can't do much - you can't open anything anymore, is not necessarily because the virus is still alive. But because of the damage that has been caused by the virus.
On my analysis, the big damage has been done in your registry, and it's not possible to fix it from Windows OS. Even in safe mode. But hopefully, it didn't go further than just your registry.

What you'll need is to preferably have a Windows XP CD to boot and get into the recovery console to perform a chkdsk /r
and it will recover the damaged part of the registry.
It worked for me just now.

By then, you'll be able to open some important stuff like regedit.exe.
It will be time to fix the rest of the damaged stuff (that's where it becomes more relax).
And then we gotta trace the virus' "hearts" from autorun.inf to see if the virus is still alive.

The only hope for the fix, having a Windows XP CD... or out of surprise, having a linux in the same computer just like another person I'm helping in another thread haha.

Sorry. You can try to go get it fixed from another expert (in a computer store or any place like that), he'd do the same as I suggest. Booting Win XP CD for a chkdsk. Except that he'd charge you money ...

[h2obubbli]

NPB do yu know how to get rid of the infamous Virtumonde? i kinda got my sis's PC infected =.=;;;
In the past i had to reformat the comp. but i dont have a windows disk atm....

[NPB-XK]

tictocsunny, one last hope ( without counting the chkdsk's hope ):

I've created a .inf file (taken from my book, and version $CHICAGO$). I can't let you create it by yourself because you can't open .exe stuff and Notepad is an .exe program. Unlike other MAIN extensions such as reg, exe, bat, etc, .inf is an independant filetype which doesn't require any specific program to run it. I haven't tested it out on my computer in the lab (I'm too lazy to go get infected by that thing again) but it SHOULD work. I knew I forgot about something and this is the only last thing I can ever think of, beside chkdsk.

And since it's an .inf extension, websites won't allow me to upload it unless I compress it in .zip, .rar or whatever. So I doubt your winzip or winrar is gonna be able to run.
I have fooled the system of a website by renaming the .inf extension to .jpg.
Here's how you have to do it. Right-click on this link:
http://www.fileupyours.com/view/233717/Fixswen.jpg
[IE] Save Target As...
or
[Firefox] Save Link As...
Choose to save it on your Desktop.
By then, rename the file Fixswen.jpg back to Fixswen.inf
It will ask you "Are you sure blah blah?"
You say YES... Or OK or whatever positive button it's showing.
And then you right-click it and click "Install"...
If it's asking a question again, click "open" or "ok" or "yes" or anything like that...

If you wanna know what this is, let me teach you the codes quickly in general:

CODE

[Version]
Signature="$CHICAGO$"

[DefaultInstall]
AddReg=FixSwen
DelReg=EnableRegTools

[FixSwen]
HKCR, "batfile\shell\open\command",,0,"""%1"" %*"
HKCR, "comfile\shell\open\command",,0,"""%1"" %*"
HKCR, "exefile\shell\open\command",,0,"""%1"" %*"
HKCR, "piffile\shell\open\command",,0,"""%1"" %*"
HKCR, "regfile\shell\open\command",,0,"regedit.exe "%1""
HKCR, "scrfile\shell\open\command",,0,"""%1"" /S"
HKCR, "scrfile\shell\config\command",,0,"%1"

[EnableRegTools]
HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

In [FixSwen] part, those codes are gonna fix all the damaged/lost values that disallowed you to open the .exe, .reg, .whatever <--- Having this installed should fix the problem. Don't forget to try to open some .exe files as a test if it works. Because we need regedit.exe to ease our tasks.
"We need mister reggie to have more power in our army to fight the virus! He's seriously injured! We have to save him!" Ok that was random... But yeah we need to save regedit.exe and make it work back to normal.

[EnableRegTools] part is where it's gonna get deleted. As you see:
DelReg=EnableRegTools which is up there in the codes, it's gonna delete the [EnableRegTools] because inside of it, there's this value that disabled your registry tools.

That's it. Let's hope this is gonna work because I believe I have nothing else left as a solution for you beside chkdsk, linux programing, and... reformating... haha.
Good luck.

NPB do yu know how to get rid of the infamous Virtumonde? i kinda got my sis's PC infected =.=;;;
In the past i had to reformat the comp. but i dont have a windows disk atm....

I remember working on that malicious thing few years ago... I've been working on over thousands of virus within 2 years so I'd need to refresh my mind a little bit... Gotta go to my little lab and infect one of my computer with Virtumonde by analyzing everything it's doing... Haha... I think I remember that it was tricky in so many ways... If I remember well, it can use a "System Recovery" option to come back when you successfully eliminate it. Immortal style. Which is why you gotta disable the system recovery setting right after you eliminate it and BEFORE you reboot your computer. And stay like that for like months and then that's when you can re-activate the recovery setting <--- Just in case. It's really something that makes us go nuts...
Meanwhile, I'd like to know... How long have you been infected by Virtumonde (approximatively)? (I mean... your sister's computer).

[h2obubbli]

gahh i dont i qualify for that then, it's been infected since ....... December and since then has been rebooted numerous times =.=
But yu actually have a solution for this trojan, yur good!

I think it

disables the usage of google (if it works it will re-direct yu to another site)
Constant random pop-ups
slows down computer (CPU usage goes up & theres i think theres something about rundll32.dll)
probs more that i dont know about ...... the main point is: it just wont delete lol .... =.=