TechSpot

[Not curable - Virut] Need serious help

By domino23
Jun 25, 2010
  1. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    OK........
     
  2. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    alright Bron'... I tried again... ran it straight from the desktop and I get this message..


    and this is the one i got from that site... and my second try... what next bro?
     
  3. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    Post scans results.
     
  4. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    here's explorer


     
  5. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    userint

     
  6. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    svchost.exe...

     
  7. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    that's all...
     
  8. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    You are infected with a polymorphic file infector (Virut in your case). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
    *.exe
    *.scr
    *.htm
    *.html
    *.xml
    *.zip
    *.rar
    *.doc
    *.jpg
    *.pdf

    Backup all your documents and important items only.
    DO NOT backup any files mentioned above.

    I suggest you do the following immediately:

    * Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    * From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    * DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

    To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

    Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

    To find out more information about how you may have got infected in the first place, you can read this article.

    I am sorry I cannot give any better news.
     
  9. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    holy ****.... thanks bron' i'll do what i can do and i'll letchu know what happened... thank you for everthing, seriously!
     
  10. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    I feel bad for you :(
    We usually fix all infections here, but the polymorphic virus is the only one, there is no cure for.
     
  11. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    ok bro i reinstalled XP and the computer is running a little better BUT there's something still wrong. my avg is still detecting small infections every hour or so and my explorer still keeps freezing up until i close it off in the task manager and restart explorer... anything else i can do?
     
     
  12. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    should i re - re install xp, and dont go to any websites, run avg and mb first?
     
  13. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    I need more info.
    Was it clean installation, formatting the drive included?
    Was your computer physically disconnected from the internet, while you're performing reinstall?
     
  14. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    yes, i formatted the drive and honestly i really dont remember if when i did it i disconnected from the internet... ****!
     
  15. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    OK. I don't want to mix this new issue with Virut topic, so I suggest you start new topic and we'll check what's going on.
    Go through all 8 steps, post logs and include a note in your new topic, requesting my personal help (since I'm familiar with your case), so Bobbye won't reply there.
    You can also PM me, when you create new topic.

    Before you do that, I want you to do one thing (you can reply here), so we're sure, we're not dealing with same (Virut) issue.

    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    Post scans results.
     
  16. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    explorer

    Antivirus Version Last Update Result
    a-squared 5.0.0.31 2010.07.06 Virus.Win32.Virut.q!IK
    AhnLab-V3 2010.07.06.00 2010.07.05 Win32/Virut
    AntiVir 8.2.4.2 2010.07.05 W32/Virut.AT
    Antiy-AVL 2.0.3.7 2010.07.02 -
    Authentium 5.2.0.5 2010.07.06 W32/Virut.AG
    Avast 4.8.1351.0 2010.07.06 Win32:Virtob
    Avast5 5.0.332.0 2010.07.06 Win32:Virtob
    AVG 9.0.0.836 2010.07.05 Win32/Virut
    BitDefender 7.2 2010.07.06 Win32.Virtob.7.Gen
    CAT-QuickHeal 11.00 2010.06.30 W32.Virut.E
    ClamAV 0.96.0.3-git 2010.07.06 Trojan.Small-4287
    Comodo 5332 2010.07.06 Backdoor.Win32.Nepoe.em1
    DrWeb 5.0.2.03300 2010.07.06 Win32.Virut.27
    eSafe 7.0.17.0 2010.07.05 -
    eTrust-Vet None 2010.07.05 Win32/Virut.6640
    F-Prot 4.6.1.107 2010.07.05 W32/Virut.AG
    F-Secure 9.0.15370.0 2010.07.06 Win32.Virtob.7.Gen
    Fortinet 4.1.133.0 2010.07.04 W32/Virut.J
    GData 21 2010.07.06 Win32.Virtob.7.Gen
    Ikarus T3.1.1.84.0 2010.07.06 Virus.Win32.Virut.q
    Jiangmin 13.0.900 2010.07.03 Win32/Virut.ae
    Kaspersky 7.0.0.125 2010.07.06 Virus.Win32.Virut.at
    McAfee 5.400.0.1158 2010.07.06 W32/Virut.gen.a
    McAfee-GW-Edition 2010.1 2010.07.05 W32/Virut.gen.a
    Microsoft 1.5902 2010.07.03 Virus:Win32/Virut.AA
    NOD32 5253 2010.07.05 Win32/Virut.AT
    Norman 6.05.10 2010.07.05 W32/Virut.AH
    nProtect 2010-07-05.01 2010.07.05 Virus/W32.Virut.K
    Panda 10.0.2.7 2010.07.06 W32/Virutas.AH
    PCTools 7.0.3.5 2010.07.06 Malware.Virut
    Prevx 3.0 2010.07.06 -
    Rising 22.55.01.01 2010.07.06 Win32.Virut.al
    Sophos 4.54.0 2010.07.06 W32/Virut-Gen
    Sunbelt 6548 2010.07.06 Virus.Win32.Virut.a (v)
    Symantec 20101.1.0.89 2010.07.06 W32.Virut.W
    TheHacker 6.5.2.1.308 2010.07.05 W32/Virut.genS
    TrendMicro 9.120.0.1004 2010.07.06 PE_VIRUT.AT
    TrendMicro-HouseCall 9.120.0.1004 2010.07.06 PE_VIRUT.AT
    VBA32 3.12.12.5 2010.07.05 Virus.Win32.Virut.2
    ViRobot 2010.6.29.3912 2010.07.05 Win32.Virut.U
    VirusBuster 5.0.27.0 2010.07.05 Win32.Virut.Gen.4
    Additional information
    File size: 1039360 bytes
    MD5...: 7c64beb12a9eb831047b64645ba1995b
    SHA1..: 77f4e2607a45705d9ba7b5424055cc111813e8d2
    SHA256: 7ef95478fd103066f6d7863b74169ebad3916462248a1582b92443a0d0775c53
    ssdeep: 12288:gzEut4RuAwGgc7fNuIEGpPoHWr2Rkf8I+skzan1/g/J/v5nn71:gzEuAwj
    2fNuIhakf8I+sk81/g/J/JnR
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0xfe800
    timedatestamp.....: 0x41107ece (Wed Aug 04 06:14:38 2004)
    machinetype.......: 0x14c (I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x44689 0x44800 6.38 b257b3cd7102cece46cd7366aff0f34b
    .data 0x46000 0x1d90 0x1800 1.29 d0b87d8ce5a34731be197efb73b5d7bf
    .rsrc 0x48000 0xb2278 0xb2400 6.63 abf6dc1befe1a4a4c7f6ef51d1a6f907
    .reloc 0xfb000 0x9800 0x5400 7.26 8bacbaca8c453710149cf245a15b4d54

    ( 13 imports )
    > msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
    > ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
    > KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount
    > GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
    > USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
    > ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
    > SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, -
    > SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
    > ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
    > OLEAUT32.dll: -, -
    > BROWSEUI.dll: -, -, -, -
    > SHDOCVW.dll: -, -, -
    > UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

    ( 0 exports )
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. All rights reserved.
    product......: Microsoft_ Windows_ Operating System
    description..: Windows Explorer
    original name: EXPLORER.EXE
    internal name: explorer
    file version.: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    trid..: Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
     
  17. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    As you can see, we're dealing with very same issue here - Virut
    I'm not sure, what happened.
    Did you have any files backed up, which you put back on new installation?
     
  18. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    svc


    Antivirus Version Last Update Result
    a-squared 5.0.0.31 2010.07.06 -
    AhnLab-V3 2010.07.06.00 2010.07.05 -
    AntiVir 8.2.4.2 2010.07.05 -
    Antiy-AVL 2.0.3.7 2010.07.02 -
    Authentium 5.2.0.5 2010.07.06 -
    Avast 4.8.1351.0 2010.07.06 -
    Avast5 5.0.332.0 2010.07.06 -
    AVG 9.0.0.836 2010.07.05 -
    BitDefender 7.2 2010.07.06 -
    CAT-QuickHeal 11.00 2010.06.30 -
    ClamAV 0.96.0.3-git 2010.07.06 -
    Comodo 5332 2010.07.06 -
    DrWeb 5.0.2.03300 2010.07.06 -
    eSafe 7.0.17.0 2010.07.05 -
    eTrust-Vet 36.1.7687 2010.07.05 -
    F-Prot 4.6.1.107 2010.07.05 -
    F-Secure 9.0.15370.0 2010.07.06 -
    Fortinet 4.1.133.0 2010.07.04 -
    GData 21 2010.07.06 -
    Ikarus T3.1.1.84.0 2010.07.06 -
    Jiangmin 13.0.900 2010.07.03 -
    Kaspersky 7.0.0.125 2010.07.06 -
    McAfee 5.400.0.1158 2010.07.06 -
    McAfee-GW-Edition 2010.1 2010.07.05 -
    Microsoft 1.5902 2010.07.03 -
    NOD32 5253 2010.07.05 -
    Norman 6.05.10 2010.07.05 -
    nProtect 2010-07-05.01 2010.07.05 -
    Panda 10.0.2.7 2010.07.06 -
    PCTools 7.0.3.5 2010.07.06 -
    Prevx 3.0 2010.07.06 -
    Rising 22.55.01.01 2010.07.06 -
    Sophos 4.54.0 2010.07.06 -
    Sunbelt 6548 2010.07.06 -
    Symantec 20101.1.0.89 2010.07.06 -
    TheHacker 6.5.2.1.308 2010.07.05 -
    TrendMicro 9.120.0.1004 2010.07.06 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.06 -
    VBA32 3.12.12.5 2010.07.05 -
    ViRobot 2010.6.29.3912 2010.07.06 -
    VirusBuster 5.0.27.0 2010.07.05 -
    Additional information
    File size: 14336 bytes
    MD5...: 8f078ae4ed187aaabc0a305146de6716
    SHA1..: da0ff4006859a7580aba81f486f692dead2014fe
    SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
    ssdeep: 384:cpiRrTp13SkhnRCwOV5JpeLCdw9rDpWCl8CbW:dT/3Ska6Lh8C
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x2509
    timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822
    .data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
    .rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

    ( 4 imports )
    > ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
    > KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
    > ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
    > RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

    ( 0 exports )
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Win32 Executable Generic (42.3%)
    Win32 Dynamic Link Library (generic) (37.6%)
    Generic Win/DOS Executable (9.9%)
    DOS Executable Generic (9.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. All rights reserved.
    product......: Microsoft_ Windows_ Operating System
    description..: Generic Host Process for Win32 Services
    original name: svchost.exe
    internal name: svchost.exe
    file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
  19. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    what do you mean? and i wonder if the key is i didn't disconnect?
     
  20. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    No need for more.
    Read my previous reply.
     
  21. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    user

    Antivirus Version Last Update Result
    a-squared 5.0.0.31 2010.07.06 Trojan.Agent2!IK
    AhnLab-V3 2010.07.06.00 2010.07.05 Win32/Virut
    AntiVir 8.2.4.2 2010.07.05 W32/Virut.AT
    Antiy-AVL 2.0.3.7 2010.07.02 -
    Authentium 5.2.0.5 2010.07.06 W32/Virut.AG
    Avast 4.8.1351.0 2010.07.06 Win32:Virtob
    Avast5 5.0.332.0 2010.07.06 Win32:Virtob
    AVG 9.0.0.836 2010.07.05 Win32/Virut
    BitDefender 7.2 2010.07.06 Win32.Virtob.7.Gen
    CAT-QuickHeal 11.00 2010.06.30 W32.Virut.E
    ClamAV 0.96.0.3-git 2010.07.06 Trojan.Small-4287
    Comodo 5332 2010.07.06 Backdoor.Win32.Nepoe.em1
    DrWeb 5.0.2.03300 2010.07.06 Win32.Virut.27
    eSafe 7.0.17.0 2010.07.05 -
    eTrust-Vet 36.1.7687 2010.07.05 Win32/Virut.6640
    F-Prot 4.6.1.107 2010.07.05 W32/Virut.AG
    F-Secure 9.0.15370.0 2010.07.06 Win32.Virtob.7.Gen
    Fortinet 4.1.133.0 2010.07.04 W32/Virut.J
    GData 21 2010.07.06 Win32.Virtob.7.Gen
    Ikarus T3.1.1.84.0 2010.07.06 Trojan.Agent2
    Jiangmin 13.0.900 2010.07.03 Win32/Virut.ae
    Kaspersky 7.0.0.125 2010.07.06 Virus.Win32.Virut.at
    McAfee 5.400.0.1158 2010.07.06 W32/Virut.gen.a
    McAfee-GW-Edition 2010.1 2010.07.05 Heuristic.LooksLike.Win32.SuspiciousPE.J
    Microsoft 1.5902 2010.07.03 Virus:Win32/Virut.AA
    NOD32 5253 2010.07.05 Win32/Virut.AT
    Norman 6.05.10 2010.07.05 W32/Virut.AH
    nProtect 2010-07-05.01 2010.07.05 Virus/W32.Virut.K
    Panda 10.0.2.7 2010.07.06 W32/Virutas.AH
    PCTools 7.0.3.5 2010.07.06 Malware.Virut
    Prevx 3.0 2010.07.06 -
    Rising 22.55.01.01 2010.07.06 Win32.Virut.al
    Sophos 4.54.0 2010.07.06 W32/Virut-Gen
    Sunbelt 6548 2010.07.06 Virus.Win32.Virut.a (v)
    Symantec 20101.1.0.89 2010.07.06 W32.Virut.W
    TheHacker 6.5.2.1.308 2010.07.05 W32/Virut.genS
    TrendMicro 9.120.0.1004 2010.07.06 PE_VIRUT.AT
    TrendMicro-HouseCall 9.120.0.1004 2010.07.06 PE_VIRUT.AT
    VBA32 3.12.12.5 2010.07.05 Virus.Win32.Virut.2
    ViRobot 2010.6.29.3912 2010.07.06 Win32.Virut.U
    VirusBuster 5.0.27.0 2010.07.05 Win32.Virut.Gen.4
    Additional information
    File size: 31744 bytes
    MD5...: 710a9045fa363c59f85cb35f9fff9de9
    SHA1..: f0d574472a2957a41389035ca0ca3816371d8800
    SHA256: 7367d8aa2cfc86c7bd5394239a7af9ffc6d947d67270e17b3f82c0e92058c426
    ssdeep: 768:5JDUaxgu5YEVBxkjuv7wbaLa4PU4b7rw1a0GF+:5JHxIEVBvT2aLa4PUO7J
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x7c00
    timedatestamp.....: 0x41107b78 (Wed Aug 04 06:00:24 2004)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x4db8 0x4e00 6.01 16aee663ed180007a0bf5bf24b845096
    .data 0x6000 0x14c 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
    .rsrc 0x7000 0x6c00 0x2800 6.80 731c280eab5875531bb55c7ab3fea2f6

    ( 7 imports )
    > USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
    > ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
    > CRYPT32.dll: CryptProtectData
    > WINSPOOL.DRV: SpoolerInit
    > ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
    > msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
    > KERNEL32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW

    ( 0 exports )
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. All rights reserved.
    product......: Microsoft_ Windows_ Operating System
    description..: Userinit Logon Application
    original name: USERINIT.EXE
    internal name: userinit
    file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
  22. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    What I'm asking is, if you saved some files before you formatted the drive and then you put them back after fresh installation?
     
  23. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    i had some installation files i put on my external drive before i formatted so i could reinstall the programs on this main drive quicker... like avg, nero, photoshop etc but thats it.
     
  24. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    OK. Did you scan those files before putting them back on your computer?

    Is your Windows XP CD a genuine, legit CD?

    I'm also not sure, what you mean by "installation files". Normally, programs come on CD/DVD.
    Were those some torrent downloads?
     
  25. domino23

    domino23 TS Rookie Topic Starter Posts: 72

    yeah xp legit. no, i didn't scan them... some i got from download.com too like the free avg. i mean the exe when i say install files.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.