virus on windows xp

[circlek09]

hello,

i recently downloaded a program off the internet that ended up being a trojan (even though i had mcaffee, it did nothing to stop it) and has now infected my computer, only the windows side that is. i restarted windows (through VMWare) and it comes up with a DEP message saying the startup file cannot start or else it will be infected. McAffee did a scan of files that are corrupt and i attached screenshots of what those files are.

i tried to do a system restore by logging into safe mode, then going to command prompt, but once there, it sent me to a blue screen saying there was problems and the computer had to shut down.

should i delete the files from the windows HD partition that mcaffee lists as viruse, and trojans? i'm afraid those are important files that actually need to be restored. laugh at me now if i'm completely out of touch.

bottom line, i need to clean my windows xp and rid the virus, so i may continue to use it for CAD!

any and all suggestions, help, tips would be greatly appreciated as my self business is now stalled. ugh

thank you all very much in advance!

 

[markojug]

Just delete the Windows.vmwarevm and reinstall Windows XP using VMware.

 

[circlek09]

ok dumb question.

i dont have the windows xp disc to reinstall. its across the country. can i perform a re-install through vmware? and where is that file located.

thanks

 

[markojug]

Have you tried using all the options (Safe Mode w/ Networking, Last known configuration etc...)

What error does the Blue screen give you? If you can tell me, that will sure help a bit.

 

[circlek09]

i tried safe mode w/ networking. it got me to my main screen and i ran mcafee again. it said it quarantined and removed a few viruses, and said to restart the computer. i also started a system restore, but i noted that the date it wanted to restore back to, was the night i received the virus. the title at that time of the system restore was for 'software distribution services' so i neglected to restore to that time. should i have or should i have?

i then restarted, again trying safe mode in networking, and was presented with the blue screen again.

attached are images of the console screen that loads then the blue screen that it turns into.

here's also a log from the mcafee scan:
8/26/2009 12:41:23 AM Scan Started: 08/26/2009 00:41:23 AM
8/26/2009 12:44:11 AM "C:\WINDOWS\system32\dllhost.exe" "New Win32" "10"
8/26/2009 1:03:06 AM "C:\Program Files\Internet Explorer\iexplore.exe" "New Win32" "5"
8/26/2009 1:03:35 AM "C:\Program Files\Messenger\msmsgs.exe" "New Win32" "5"
8/26/2009 1:10:19 AM "C:\WINDOWS\services.exe" "New Poly Win32" "5"
8/26/2009 1:21:18 AM "C:\WINDOWS\SYSTEM32\3DD.TMP" "Artemis!9C72599BFE60" "5"
8/26/2009 1:21:18 AM "C:\WINDOWS\system32\3DD.tmp" "Artemis!9C72599BFE60" "5"
8/26/2009 1:21:18 AM "C:\WINDOWS\SYSTEM32\3E0.TMP" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:21:18 AM "C:\WINDOWS\system32\3E0.tmp" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:21:19 AM "C:\WINDOWS\SYSTEM32\4.TMP" "Artemis!9C72599BFE60" "5"
8/26/2009 1:21:19 AM "C:\WINDOWS\system32\4.tmp" "Artemis!9C72599BFE60" "5"
8/26/2009 1:21:20 AM "C:\WINDOWS\SYSTEM32\5.TMP" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:21:20 AM "C:\WINDOWS\system32\5.tmp" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:21:25 AM "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|13867" "Artemis!9C72599BFE60" "14"
8/26/2009 1:21:26 AM "C:\WINDOWS\SYSTEM32\C.TMP" "Artemis!9C72599BFE60" "5"
8/26/2009 1:21:26 AM "C:\WINDOWS\system32\C.tmp" "Artemis!9C72599BFE60" "5"
8/26/2009 1:21:28 AM "C:\WINDOWS\system32\cmd.exe" "New Win32" "5"
8/26/2009 1:21:32 AM "C:\WINDOWS\SYSTEM32\D.TMP" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:21:32 AM "C:\WINDOWS\system32\D.tmp" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:21:37 AM "C:\WINDOWS\system32\dllhost.exe" "New Win32" "5"
8/26/2009 1:21:41 AM "C:\WINDOWS\system32\dumprep.exe" "New Win32" "5"
8/26/2009 1:21:56 AM "C:\WINDOWS\system32\logonui.exe" "New Win32" "5"
8/26/2009 1:22:12 AM "C:\WINDOWS\system32\netsh.exe" "New Win32" "5"
8/26/2009 1:22:34 AM "C:\WINDOWS\system32\sc.exe" "New Win32" "5"
8/26/2009 1:22:39 AM "C:\WINDOWS\system32\spoolsv.exe" "New Win32" "5"
8/26/2009 1:22:47 AM "C:\WINDOWS\system32\verclsid.exe" "New Win32" "5"
8/26/2009 1:23:01 AM "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\EI420DB0\PART[1].TXT" "FakeAlert-SpywareProtect" "5"
8/26/2009 1:23:01 AM "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EI420DB0\part[1].txt" "FakeAlert-SpywareProtect" "5"
8/26/2009 1:23:02 AM "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\FG8CAQFD\ABB[1].TXT" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:23:02 AM "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FG8CAQFD\abb[1].txt" "Artemis!5C241F7DEC70" "5"
8/26/2009 1:23:03 AM "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\IPBL1ZLY\BOT[1].TXT" "Artemis!9C72599BFE60" "5"
8/26/2009 1:23:03 AM "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IPBL1ZLY\bot[1].txt" "Artemis!9C72599BFE60" "5"
8/26/2009 1:23:59 AM "C:\WINDOWS\system32\drivers\etc\hosts" "W32/Virut!hosts" "5"
8/26/2009 1:24:29 AM "C:\WINDOWS\system32\wbem\wmiprvse.exe" "New Win32" "5"
8/26/2009 1:46:21 AM Total objects scanned: 109757
8/26/2009 1:46:21 AM Objects detected: 24
8/26/2009 1:46:21 AM Scan Done: 08/26/2009 01:46:21 AM
8/27/2009 3:20:24 AM Scan Started: 08/27/2009 03:20:24 AM
8/27/2009 3:20:26 AM "Memory\NtCreateFile" "Generic.dx!rootkit" "5"
8/27/2009 3:20:26 AM "Memory\NtQueryInformationProcess" "Generic.dx!rootkit" "5"
8/27/2009 3:20:26 AM "Memory\ZwCreateFile" "Generic.dx!rootkit" "5"
8/27/2009 3:20:26 AM "Memory\ZwQueryInformationProcess" "Generic.dx!rootkit" "5"
8/27/2009 3:20:26 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/27/2009 3:20:35 AM "C:\WINDOWS\system32\restore\rstrui.exe" "New Win32" "10"
8/27/2009 3:20:39 AM "C:\WINDOWS\system32\dllhost.exe" "New Win32" "5"
8/27/2009 3:20:43 AM "C:\WINDOWS\system32\mstsc.exe" "New Poly Win32" "5"
8/27/2009 3:20:43 AM "C:\WINDOWS\system32\narrator.exe" "New Win32" "5"
8/27/2009 3:20:47 AM "C:\WINDOWS\system32\sndrec32.exe" "New Win32" "5"
8/27/2009 3:20:54 AM "C:\WINDOWS\system32\Restore\rstrui.exe" "New Win32" "5"
8/27/2009 3:20:55 AM "C:\WINDOWS\system32\wbem\wmiprvse.exe" "New Win32" "5"
8/27/2009 3:22:05 AM Total objects scanned: 3051
8/27/2009 3:22:05 AM Objects detected: 12
8/27/2009 3:22:05 AM Scan Done: 08/27/2009 03:22:05 AM

 

[markojug]

The Blue Screen is saying one of your system files has been damaged. Keep trying to boot in safe mode to disinfect the viruses.

That virus has really damaged your Windows system files in other terms.

 

[circlek09]

so i finally made it into safe mode effectively and opened mcafee. i 'restored' a list of quarantined files. then did it again, and again. restarted the computer and still wont load in normal mode. the 'startunitlogin' or something wont open because DEP closes it.

its as if the files get restored in mcafee, then once i reload in safe mode, they are screwed up again

 

[Tallest Skil]

its as if the files get restored in mcafee

Found your problem: You're thinking that this actually happens.

 

[circlek09]

ha that's what i figured. and if i delete those files, then the computer would never start, right.

are there any solutions. can i copy those files from a friends xp system, and replace them into mine. any magic tricks?

i'm on the verge of re-buying xp because my disk is on the other coast. someone please tell me thats the last option.

 

[markojug]

i'm on the verge of re-buying xp because my disk is on the other coast. someone please tell me thats the last option.

Yes, that looks like the only option for you to boot into normal mode.