TechSpot

Can't access AVG, Microsoft nor spyware sites, can't update malwarebytes

By synno
Nov 9, 2009
  1. Hi,

    This seems like a very worthy site so I'll try my luck here. Hope someone can help me. AVG detected serious threats like win32 heur and virut, so after unsuccessfully trying to install Spyware Doctor (couldn't update so couldn't install properly), paid for and running Antispyware (useless!) and following the 8-step instructions I found here, I still can't access sites like microsoft, avg, anything with malware or spyware in the name, malwarebytes (for an update). Moreover, I can only open Chrome with the --no sandbox option (not a good thing to do, apparently). IE opens but crashes. And viruses continue to be detected!
    I'm running Vista/SP2.
    Looking forward to any advice I get.
    Cheers,
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, synno. I'll help guide you with the malware.

    Let's check right up front for Virut:

    Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    And I can say anything better or different than what you can read here:
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

    Change all of your passwords and monitor any online transactions.
    So don't waste you time - Don't look for 'guaranteed removals'- there aren't any.

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    When I see the results, I will determine whether to recommend a reformat/reinstall.
     
  3. synno

    synno TS Rookie Topic Starter

    Thanks a million for getting back to me.
    I tried accessing virscan.org from IE, but had to give up after a dozen attempts because IE always fails to respond and just stops running straightaway.
    I uploaded the userinit.exe to the site from Chrome and the log is posted here.


    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/11 20:58:08 (CET)
    Scanner results: 38% Scanner(s) (14/37) found malware!
    File Name : userinit.exe
    File Size : 45056 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : c459c98de06fbd56d8fbaa242635296d
    SHA1 : 90124405d88d458b8d3739a0d7216b6775d25533
    Online report : http://virscan.org/report/88f17a01661f0dfef8985a50941a18da.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091111183445 2009-11-11 4.19 -
    AhnLab V3 2009.11.12.00 2009.11.12 2009-11-12 1.02 -
    AntiVir 8.2.1.65 7.1.6.223 2009-11-11 0.19 W32/Virut.Gen
    Antiy 2.0.18 20091105.3216324 2009-11-05 0.12 -
    Arcavir 2009 200911110132 2009-11-11 0.04 -
    Authentium 5.1.1 200911111347 2009-11-11 1.22 W32/Virut.AI!Generic (Heuristic)
    AVAST! 4.7.4 091111-0 2009-11-11 0.01 -
    AVG 8.5.288 270.14.60/2496 2009-11-11 1.47 -
    BitDefender 7.81008.4523818 7.28875 2009-11-12 3.95 -
    CA (VET) 35.1.0 7115 2009-11-11 6.14 -
    ClamAV 0.95.2 10013 2009-11-11 0.02 -
    Comodo 3.12 2920 2009-11-11 0.91 -
    CP Secure 1.3.0.5 2009.11.11 2009-11-11 0.06 -
    Dr.Web 4.44.0.9170 2009.11.11 2009-11-11 6.60 Win32.Virut.56
    F-Prot 4.4.4.56 20091111 2009-11-11 1.22 Possible W32/Virut.AI!Generic
    F-Secure 7.02.73807 2009.11.11.12 2009-11-11 0.11 Virus.Win32.Virut.ce [AVP]
    Fortinet 2.81-3.120 11.48 2009-11-11 0.30 -
    GData 19.8805/19.552 20091111 2009-11-11 5.52 Virus.Win32.Virut.ce [Engine:A]
    ViRobot 20091111 2009.11.11 2009-11-11 0.41 -
    Ikarus T3.1.01.74 2009.11.11.74508 2009-11-11 4.56 -
    JiangMin 11.0.800 2009.11.11 2009-11-11 4.02 -
    Kaspersky 5.5.10 2009.11.11 2009-11-11 0.06 Virus.Win32.Virut.ce
    KingSoft 2009.2.5.15 2009.11.11.20 2009-11-11 0.51 Win32.Virut.cr.61440
    McAfee 5.3.00 5799 2009-11-11 3.46 New Win32.g2
    Microsoft 1.5202 2009.11.11 2009-11-11 6.46 -
    Norman 6.01.09 6.01.00 2009-11-10 4.00 -
    Panda 9.05.01 2009.11.11 2009-11-11 2.84 Suspicious file
    Trend Micro 8.700-1004 6.620.02 2009-11-11 0.08 PE_VIRUX.GEN-1
    Quick Heal 10.00 2009.11.11 2009-11-11 1.42 W32.Virut.G
    Rising 20.0 22.21.02.09 2009-11-11 1.22 Win32.Infected.GEN [Suspicious]
    Sophos 3.00.1 4.46 2009-11-12 3.00 -
    Sunbelt 5503 5503 2009-11-11 1.65 Virus.Win32.Virut.ce (v)
    Symantec 1.3.0.24 20091111.006 2009-11-11 0.05 -
    nProtect 20091111.01 6164553 2009-11-11 3.60 -
    The Hacker 6.5.0.2 v00066 2009-11-11 0.75 -
    VBA32 3.12.10.11 20091111.1459 2009-11-11 1.99 -
    VirusBuster 4.5.11.10 10.113.14/2001197 2009-11-12 2.98 -


    Here's the explorer.exe scan output:

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/11 21:09:24 (CET)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 2926592 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : d07d4c3038f3578ffce1c0237f2a1253
    SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
    Online report : http://virscan.org/report/5907a0d36e1d95cbc7f49c156612cc4a.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091111183445 2009-11-11 4.01 -
    AhnLab V3 2009.11.12.00 2009.11.12 2009-11-12 1.02 -
    AntiVir 8.2.1.65 7.1.6.223 2009-11-11 0.43 -
    Antiy 2.0.18 20091105.3216324 2009-11-05 0.12 -
    Arcavir 2009 200911110132 2009-11-11 0.09 -
    Authentium 5.1.1 200911111347 2009-11-11 1.21 -
    AVAST! 4.7.4 091111-0 2009-11-11 0.11 -
    AVG 8.5.288 270.14.60/2496 2009-11-11 0.34 -
    BitDefender 7.81008.4523818 7.28875 2009-11-12 3.94 -
    CA (VET) 35.1.0 7115 2009-11-11 8.65 -
    ClamAV 0.95.2 10013 2009-11-11 0.32 -
    Comodo 3.12 2920 2009-11-11 0.74 -
    CP Secure 1.3.0.5 2009.11.11 2009-11-11 0.47 -
    Dr.Web 4.44.0.9170 2009.11.11 2009-11-11 6.60 -
    F-Prot 4.4.4.56 20091111 2009-11-11 1.19 -
    F-Secure 7.02.73807 2009.11.11.12 2009-11-11 0.13 -
    Fortinet 2.81-3.120 11.48 2009-11-11 0.34 -
    GData 19.8805/19.552 20091111 2009-11-11 5.46 -
    ViRobot 20091111 2009.11.11 2009-11-11 0.46 -
    Ikarus T3.1.01.74 2009.11.11.74508 2009-11-11 4.14 -
    JiangMin 11.0.800 2009.11.11 2009-11-11 4.11 -
    Kaspersky 5.5.10 2009.11.11 2009-11-11 0.07 -
    KingSoft 2009.2.5.15 2009.11.11.20 2009-11-11 0.65 -
    McAfee 5.3.00 5799 2009-11-11 3.42 -
    Microsoft 1.5202 2009.11.11 2009-11-11 6.35 -
    Norman 6.01.09 6.01.00 2009-11-10 4.00 -
    Panda 9.05.01 2009.11.11 2009-11-11 2.80 -
    Trend Micro 8.700-1004 6.620.02 2009-11-11 0.03 -
    Quick Heal 10.00 2009.11.11 2009-11-11 2.01 -
    Rising 20.0 22.21.02.09 2009-11-11 1.00 -
    Sophos 3.00.1 4.46 2009-11-12 3.04 -
    Sunbelt 5503 5503 2009-11-11 1.68 -
    Symantec 1.3.0.24 20091111.006 2009-11-11 0.16 -
    nProtect 20091111.01 6164553 2009-11-11 3.73 -
    The Hacker 6.5.0.2 v00066 2009-11-11 0.82 -
    VBA32 3.12.10.11 20091111.1459 2009-11-11 2.22 -
    VirusBuster 4.5.11.10 10.113.14/2001197 2009-11-12 3.06 -


    And finally, for svchost.exe:

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/11 21:12:59 (CET)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 21504 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 3794b461c45882e06856f282eef025af
    SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
    Online report : http://virscan.org/report/edb813f60e67bdb28942e17a2b94781c.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091111183445 2009-11-11 3.93 -
    AhnLab V3 2009.11.12.00 2009.11.12 2009-11-12 0.98 -
    AntiVir 8.2.1.65 7.1.6.223 2009-11-11 0.50 -
    Antiy 2.0.18 20091105.3216324 2009-11-05 0.12 -
    Arcavir 2009 200911110132 2009-11-11 0.03 -
    Authentium 5.1.1 200911111347 2009-11-11 1.24 -
    AVAST! 4.7.4 091111-0 2009-11-11 0.01 -
    AVG 8.5.288 270.14.60/2496 2009-11-11 0.30 -
    BitDefender 7.81008.4523818 7.28875 2009-11-12 4.01 -
    CA (VET) 35.1.0 7115 2009-11-11 5.35 -
    ClamAV 0.95.2 10013 2009-11-11 0.01 -
    Comodo 3.12 2920 2009-11-11 0.72 -
    CP Secure 1.3.0.5 2009.11.11 2009-11-11 0.04 -
    Dr.Web 4.44.0.9170 2009.11.11 2009-11-11 6.62 -
    F-Prot 4.4.4.56 20091111 2009-11-11 1.21 -
    F-Secure 7.02.73807 2009.11.11.12 2009-11-11 0.10 -
    Fortinet 2.81-3.120 11.48 2009-11-11 0.26 -
    GData 19.8805/19.552 20091111 2009-11-11 5.59 -
    ViRobot 20091111 2009.11.11 2009-11-11 0.42 -
    Ikarus T3.1.01.74 2009.11.11.74508 2009-11-11 4.07 -
    JiangMin 11.0.800 2009.11.11 2009-11-11 7.58 -
    Kaspersky 5.5.10 2009.11.11 2009-11-11 0.07 -
    KingSoft 2009.2.5.15 2009.11.11.20 2009-11-11 0.57 -
    McAfee 5.3.00 5799 2009-11-11 3.43 -
    Microsoft 1.5202 2009.11.11 2009-11-11 6.32 -
    Norman 6.01.09 6.01.00 2009-11-10 4.01 -
    Panda 9.05.01 2009.11.11 2009-11-11 2.08 -
    Trend Micro 8.700-1004 6.620.02 2009-11-11 0.03 -
    Quick Heal 10.00 2009.11.11 2009-11-11 1.21 -
    Rising 20.0 22.21.02.09 2009-11-11 0.96 -
    Sophos 3.00.1 4.46 2009-11-12 3.01 -
    Sunbelt 5503 5503
    Symantec 1.3.0.24 20091111.006
    nProtect 20091111.01 6164553
    The Hacker 6.5.0.2 v00066
    VBA32 3.12.10.11 20091111.1459
    VirusBuster 4.5.11.10 10.113.14/2001197



    Thanks again!
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Not much doubt about that!

    What is Userinit?

    Specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface.

    Purpose of this file:
    So having the Virut infection in this process means that everytime you logon, it spreads. Most of us don't attempt to remove it because:
    Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    And I can say anything better or different than what you can read here:
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


    Change all of your passwords and monitor any online transactions.

    Recommend you reformat and reinstall ASAP.

    Wish the news was better.
     
  5. synno

    synno TS Rookie Topic Starter

    Thanks for taking a look. After reading up on the virus, I'd resigned myself to having to reformat and reinstall, and as I was thinking of migrating from Vista to W7, this looks like a good time to do so.
    Bad karma to the people who created these monsters!
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. I always hate to give this news but it's better to do the reformat/reinstall right up front instead of letting Virut do any more damage.

    I think we would all wish the bad karma on those who do this. I have some good tips on staying safe. If you have any way to access and save or print out, I'll give it to you.
     
  7. synno

    synno TS Rookie Topic Starter

    Sure, thanks, please do - I'm certainly more receptive to taking precautions after this episode. :blackeye:
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, here you go- I recommend all!

    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP1
    • Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    [*]See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
    back to the thread.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.