TechSpot

[Not curable - Virut] Help with Win32/Heur. Log fies included

By RTPud
Mar 30, 2010
  1. Hi,
    I have followed the 8-step removal process as closely as possible.

    I uninstalled AVG and replaced with Avast.
    From here, all has been done in safe mode. The system is unstable when not in safe mode.
    I then disabled Avast and ran TFC.
    On restart, I ran Malwarebytes. log attached.
    I ran Gmer. system crashed, blue screen after most of the scan was finished.
    I am relatively sure my Java is up to date, but am unable to change it in safe-mode.
    I ran the DDS. logs attached.
    Then, based on this thread: http://www.techspot.com/vb/topic105822.html
    I ran HijackThis. log attached.
    The logs were copied to a jump drive, which i just now noticed has the following files copied onto it: cmd.exe, svchost.exe, rundll32.exe (userinit login application).
    I hope I just didnt infect my laptop...
    please help!
    thanks
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,032   +255

    Download, and run Flash Disinfector, and save it to your desktop.

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. RTPud

    RTPud TS Rookie Topic Starter

    I ran the flash disinfector (in safe mode) which ran fine.
    I rebooted in normal mode.
    I ran combofix after disabling Avast and Adaware.
    It gave an error saying that the program was compromised and I may have the "Virut" virus.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,032   +255

    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    Post scans results.
     
  5. RTPud

    RTPud TS Rookie Topic Starter

    explorer:
    <table border="1"><tr><td colspan="4">File explorer.exe received on 2010.03.31 03:14:09 (UTC)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>a-squared</td><td>4.5.0.50</td><td>2010.03.31</td><td style="color: red;">Trojan.Win32.Patched!IK</td</tr><tr><td>AhnLab-V3</td><td>5.0.0.2</td><td>2010.03.30</td><td>-</td</tr><tr><td>AntiVir</td><td>7.10.6.5</td><td>2010.03.30</td><td style="color: red;">W32/Virut.Gen</td</tr><tr><td>Antiy-AVL</td><td>2.0.3.7</td><td>2010.03.30</td><td>-</td</tr><tr><td>Authentium</td><td>5.2.0.5</td><td>2010.03.31</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1351.0</td><td>2010.03.30</td><td style="color: red;">Win32:Vitro</td</tr><tr><td>Avast5</td><td>5.0.332.0</td><td>2010.03.30</td><td style="color: red;">Win32:Vitro</td</tr><tr><td>AVG</td><td>9.0.0.787</td><td>2010.03.30</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2010.03.31</td><td style="color: red;">Win32.Virtob.Gen.12</td</tr><tr><td>CAT-QuickHeal</td><td>10.00</td><td>2010.03.30</td><td style="color: red;">W32.Virut.G</td</tr><tr><td>ClamAV</td><td>0.96.0.0-git</td><td>2010.03.30</td><td>-</td</tr><tr><td>Comodo</td><td>4444</td><td>2010.03.31</td><td>-</td</tr><tr><td>DrWeb</td><td>5.0.2.03300</td><td>2010.03.31</td><td style="color: red;">Win32.Virut.56</td</tr><tr><td>eSafe</td><td>7.0.17.0</td><td>2010.03.28</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>35.2.7398</td><td>2010.03.30</td><td>-</td</tr><tr><td>F-Prot</td><td>4.5.1.85</td><td>2010.03.31</td><td>-</td</tr><tr><td>F-Secure</td><td>9.0.15370.0</td><td>2010.03.31</td><td style="color: red;">Win32.Virtob.Gen.12</td</tr><tr><td>Fortinet</td><td>4.0.14.0</td><td>2010.03.30</td><td>-</td</tr><tr><td>GData</td><td>19</td><td>2010.03.31</td><td style="color: red;">Win32.Virtob.Gen.12</td</tr><tr><td>Ikarus</td><td>T3.1.1.80.0</td><td>2010.03.31</td><td style="color: red;">Trojan.Win32.Patched</td</tr><tr><td>Jiangmin</td><td>13.0.900</td><td>2010.03.30</td><td>-</td</tr><tr><td>K7AntiVirus</td><td>7.10.1004</td><td>2010.03.22</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2010.03.31</td><td>-</td</tr><tr><td>McAfee</td><td>5936</td><td>2010.03.30</td><td>-</td</tr><tr><td>McAfee+Artemis</td><td>5936</td><td>2010.03.30</td><td>-</td</tr><tr><td>McAfee-GW-Edition</td><td>6.8.5</td><td>2010.03.30</td><td style="color: red;">Win32.Virut.Gen</td</tr><tr><td>Microsoft</td><td>1.5605</td><td>2010.03.30</td><td style="color: red;">Virus:Win32/Virut.BN</td</tr><tr><td>NOD32</td><td>4986</td><td>2010.03.30</td><td style="color: red;">Win32/Virut.NBP</td</tr><tr><td>Norman</td><td>6.04.10</td><td>2010.03.30</td><td>-</td</tr><tr><td>nProtect</td><td>2009.1.8.0</td><td>2010.03.30</td><td>-</td</tr><tr><td>Panda</td><td>10.0.2.2</td><td>2010.03.30</td><td>-</td</tr><tr><td>PCTools</td><td>7.0.3.5</td><td>2010.03.31</td><td>-</td</tr><tr><td>Prevx</td><td>3.0</td><td>2010.03.31</td><td>-</td</tr><tr><td>Rising</td><td>22.41.02.01</td><td>2010.03.31</td><td>-</td</tr><tr><td>Sophos</td><td>4.52.0</td><td>2010.03.31</td><td style="color: red;">W32/Scribble-B</td</tr><tr><td>Sunbelt</td><td>6119</td><td>2010.03.31</td><td style="color: red;">Virus.Win32.Virut.ce (v)</td</tr><tr><td>Symantec</td><td>20091.2.0.41</td><td>2010.03.31</td><td style="color: red;">W32.Virut.CF</td</tr><tr><td>TheHacker</td><td>6.5.2.0.248</td><td>2010.03.31</td><td>-</td</tr><tr><td>TrendMicro</td><td>9.120.0.1004</td><td>2010.03.30</td><td style="color: red;">PE_VIRUX.R</td</tr><tr><td>VBA32</td><td>3.12.12.2</td><td>2010.03.30</td><td>-</td</tr><tr><td>ViRobot</td><td>2010.3.30.2252</td><td>2010.03.30</td><td style="color: red;">Win32.Virut.AM</td</tr><tr><td>VirusBuster</td><td>5.0.27.0</td><td>2010.03.30</td><td style="color: red;">Win32.Virut.AB.Gen</td</tr><tr><td colspan="4">&nbsp;</td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 1058304 bytes</td></tr><tr><td colspan="4">MD5...: 498fc4d2f5941564c2011cf7f456fbd2</td></tr><tr><td colspan="4">SHA1..: 5155fd3b43539c62b2a9db84221d535e1a1c6b34</td></tr><tr><td colspan="4">SHA256: 26e3e4836db03d0670121f7f18d5da309f7b68c62a58bbae0e200fab6b92eb18</td></tr><tr><td colspan="4">ssdeep: 12288:jHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMSE:bmfty/w<br>AvN7lrvbkf8w0VnH1/g/J/kl<br></td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x104709<br>timedatestamp.....: 0x177038e4 (Fri Jun 18 06:42:44 1982)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809<br>.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359<br>.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889<br>.reloc 0xfb000 0x9800 0x9800 7.76 8398838252915d44f227fe9b638aefe5<br>uwwrtun 0x105000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br><br>( 13 imports ) <br>&gt; ADVAPI32.dll: <br>internal name: explorer<br>file version.: 6.00.2900.5512 (xpsp.080413-2105)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br></td></tr></table>


    svchost and userinit look the same as explorer.
     
  6. RTPud

    RTPud TS Rookie Topic Starter

    logs attached. the userinit log looks the same.
     

    Attached Files:

  7. RTPud

    RTPud TS Rookie Topic Starter

    I read up on Virut. I formatted and restored XP. Thanks for your help!
     
  8. Broni

    Broni Malware Annihilator Posts: 47,032   +255

    Unfortunately, that was your only option :(
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.