Thekeys.ws virus infected my computer

By Weslley
Nov 2, 2009
Topic Status:
Not open for further replies.
  1. Hello, I downloaded a file from thekeys.ws and it turned out to be a virus. I read the 8 step guide and I've done the first 4 steps. But when I use the SuperAntiSpyware scan my computer crashes in the middle of the scanning process. The screen will turn blue and gives me this error (xxx stop: 0x00000050 ( 0x12825d7d0, 0x00000000, 0x84A12F51, 0x00000000). So I went on with the 6th step updating java. I just deleted the old one (wich was out of date) but I didn't downloaded the new version. After that I ran HijackThis. I have AVG version 8.5. And it keeps giving my trojan alerts and malware ect. ect. when turned on (turned off during the 8 steps). So I have the anti malware log and the HijackThis log but I couldn't run the SuperAntiSpyware scan till the end.

    I hope somebody can help me,
    Thanks
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Weslley, welcome to TechSpot. It appears that you have a Virut infection;
    reader_s.exe Added by the Virus.Win32.Virut.n TROJAN
    FASTNETSRV.EXE (Trojan.Agent/Gen-Virut[FNS])

    Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    And I can say anything better or different than what you can read here:
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


    Change all of your passwords and monitor any online transactions.

    Before we make it all doom and gloom, let's check to be sure:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.

    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    You also have a Backdoor.Win32.HareBot TROJAN: (restorer32_a.exe)
    If Virut is confirmed, I will recommend thaty ou reformat/reinstall. There is no 'fix' for this. Due to it's very nature, you fix one form and it becomes another form.

    P2P or 'file sharing: P2P Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Limewire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Give me the log from the Virut scan and we'll go from there.
  3. Weslley

    Weslley Newcomer, in training Topic Starter

    Hey, I gues something went wrong with my post. Anyways, I followed your steps and the VIRscan did indeed found a virut infection... never heard of it before but now I know what it is for the next time. I formatted my computer and it is running smoothly again. Thanks for your help.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I got the reply in my email feedback:

    Here is the message that has just been posted:
    --------------------------------------------------------------------------------

    I went to the URL for the scan and English was " Scanners did not find malware!" But I only see the scan for svchost.exe. This scan is meant to be a check for the Virut malware when it is strongly suspected. But since two security programs identified Virut, a reformat/reinstall would be recommended.

    To answer the question you asked but didn't wait for reply:
    If the files you copied were infected and you then put them back on the computer, you may have infected the system again. This is especially true if the files had an executable.
  5. Weslley

    Weslley Newcomer, in training Topic Starter

    Hey, Í made 2 reply's, in the first one I added the other scan results, in those files the program found a virut infection. But it found nothing in the last one that you received. I just deleted all the files, I didn't bother to save them. So I gues everything is fixed now. Thank for the help.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    So the cleaning tools have been removed and the old restore points are gone- right?

    To help you stay safe on the future:
    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP1
    • Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    [*]See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
    back to the thread.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.