Viruses! Virut, heur, cryptor
- Thread starter dt1986
- Start date
- Status
Make a folder on Desktop name FixVirut
Download next 2 files and move both into the folder.
http://www.grisoft.cz/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.exe
http://www.grisoft.cz/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.nt
Next
Download the below to desktop
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixVirut.com
Then reboot to Safe Mode
Enter the FixVirut folder and run rmvirut.exe
When it finishes run the FixVirut.com on the desktop. If the above requires a reboot the reboot back to Safe mode to run this one.
When finished reboot back to normal and run MBAM again but this time click to delete what is found. You did not before as log says "No Action taken". Post this new log!
Post a new HJT log last!
Mike
Download next 2 files and move both into the folder.
http://www.grisoft.cz/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.exe
http://www.grisoft.cz/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.nt
Next
Download the below to desktop
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixVirut.com
Then reboot to Safe Mode
Enter the FixVirut folder and run rmvirut.exe
When it finishes run the FixVirut.com on the desktop. If the above requires a reboot the reboot back to Safe mode to run this one.
When finished reboot back to normal and run MBAM again but this time click to delete what is found. You did not before as log says "No Action taken". Post this new log!
Post a new HJT log last!
Mike
Bobbye
Posts: 16,313 +36
Before you do anything else. UPDATE and rescan with Malwarebytes. The malware entries show " No action taken." which means you did not check the line: * Make sure that everything is checked, and click Remove Selected."
This means that the Vundo, Zlob and Virut entries did not get removed and are still on the system
You are also running Teatimer:
SPYBOT TEATIMER
It appears that you had Norton Security at some time. An uninstallation was not complete and this Service remains:
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
Please click on Start> Run> services.msc> double click on Symantec Lic NetConnect service (CLTNetCnService)> change Startup type to Disabled> Stop the Service.
Use the Norton Removal Tool to make sure all entries have been removed:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
A NOTE to the member helping: It is important to OPEN and REVIEW the first set of logs. Entries can be dealt with as needed.
This means that the Vundo, Zlob and Virut entries did not get removed and are still on the system
You are also running Teatimer:
Real Time Protection needs to be temporarily disabled BEFORE the scans:
SPYBOT TEATIMER
You are running BitCommet which is a file sharing (P2P) program. By using this, you expose the system to constant malware .
NOTE: above has been customized for this user.
It appears that you had Norton Security at some time. An uninstallation was not complete and this Service remains:
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
Please click on Start> Run> services.msc> double click on Symantec Lic NetConnect service (CLTNetCnService)> change Startup type to Disabled> Stop the Service.
Use the Norton Removal Tool to make sure all entries have been removed:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
A NOTE to the member helping: It is important to OPEN and REVIEW the first set of logs. Entries can be dealt with as needed.
Bobbye
Posts: 16,313 +36
I used the paid AdAware with AdWatch for years. Since AdWatch ran in Real Time, whenever anything attempted to make a change in the Registry, I got an Alert. It was then up to me to allow or not allow. An advanced user would be safe shutting this Alert off. Inexperienced users should use the "if you don't know don't allow it" principal we often suggest.
But we are told that Real Time Protection should be temporarily disabled BEFORE the scans. This is one reason that I check a log when only HijackThis is given-
But we are told that Real Time Protection should be temporarily disabled BEFORE the scans. This is one reason that I check a log when only HijackThis is given-
Hi, thanks for the advice.
I tried to stop the tea timer but an error came up so I just uninstalled it. Bit Comet has been on my laptop for years but I don't actually use it so I have uninstalled that too along with AutoCad and SpaceGass because my licences for them have ran out.
It appears that I posted the wrong MBAM log onto the original thread because I was certain I did remove some things off the system. I have attached the correct original one.
I ran the tests as described by mflynn and it came up that there are no traces of the virut virus on my laptop.
I have re ran MBAM and this confirms this (log is attached) and I have also attached the latest HJT log.
If there is anything else I should do, please let me know.
Also would you recommend a different virus scanner other than AVG? AVG seems to be very sluggish nowadays (ie slowing my laptop considerably when running a scan and taking 3 hours to complete).
Ragards
Dave
I tried to stop the tea timer but an error came up so I just uninstalled it. Bit Comet has been on my laptop for years but I don't actually use it so I have uninstalled that too along with AutoCad and SpaceGass because my licences for them have ran out.
It appears that I posted the wrong MBAM log onto the original thread because I was certain I did remove some things off the system. I have attached the correct original one.
I ran the tests as described by mflynn and it came up that there are no traces of the virut virus on my laptop.
I have re ran MBAM and this confirms this (log is attached) and I have also attached the latest HJT log.
If there is anything else I should do, please let me know.
Also would you recommend a different virus scanner other than AVG? AVG seems to be very sluggish nowadays (ie slowing my laptop considerably when running a scan and taking 3 hours to complete).
Ragards
Dave
OK good job, looking good.
Run HJT Scan only, select to Fix the below...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Then do the below..
Download ComboFix
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
Mike
Run HJT Scan only, select to Fix the below...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Then do the below..
Download ComboFix
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
Mike
Ok you appear clean so we will now address the Virus cleaner.
Yes there is a much better Virus scanner Avira it can be downloaded from the 8 Steps page.
But first you should uninstall AVG properly to do that follow theses steps.
In Control panel Add/Remove unistall AVG
then after a reboot do the below.
AVG remover and run: http://www.grisoft.cz/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Download extract and run Kleaner http://support.kaspersky.com/downloads/products2009/avg8.zip
Then install Avira update and do full scan it is very good and will likely find issues. Post its log.
You will definitely notice a substantial performance increase.
Mike
Yes there is a much better Virus scanner Avira it can be downloaded from the 8 Steps page.
But first you should uninstall AVG properly to do that follow theses steps.
In Control panel Add/Remove unistall AVG
then after a reboot do the below.
AVG remover and run: http://www.grisoft.cz/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Download extract and run Kleaner http://support.kaspersky.com/downloads/products2009/avg8.zip
Then install Avira update and do full scan it is very good and will likely find issues. Post its log.
You will definitely notice a substantial performance increase.
Mike
Bobbye
Posts: 16,313 +36
When I suggest a change in antivirus programs, I do it a bit differently in order to always have some protection on the system:
1. Download the new AV and SAVE to the desktop. Do NOT run it from the site and do not run it yet from the desktop yet.
2. Download the AVG Remover and SAVE to your desktop. DO NOT run from the site and do not run from the desktop yet.
3. Boot into Safe Mode: go to File> Work Offline
This will stop the internet connection so that you are not vulnerable.
4. Uninstall AVG. I haven't used the remover but when I uninstalled my AVG, I just took it off of start-up> Disable the Services> Uninstalled the program. The remover may do this all for you,
5. Double click the new AV on the desktop to install it. Follow the prompts
6. When installation is complete, reboot the computer into Normal Mode. When asked if you want to go back online, answer Yes.
7. Update the new AV immediately and then run a complete system scan.
1. Download the new AV and SAVE to the desktop. Do NOT run it from the site and do not run it yet from the desktop yet.
2. Download the AVG Remover and SAVE to your desktop. DO NOT run from the site and do not run from the desktop yet.
3. Boot into Safe Mode: go to File> Work Offline
This will stop the internet connection so that you are not vulnerable.
4. Uninstall AVG. I haven't used the remover but when I uninstalled my AVG, I just took it off of start-up> Disable the Services> Uninstalled the program. The remover may do this all for you,
5. Double click the new AV on the desktop to install it. Follow the prompts
6. When installation is complete, reboot the computer into Normal Mode. When asked if you want to go back online, answer Yes.
7. Update the new AV immediately and then run a complete system scan.
Well just in time then the found items were false positives.
You did a great job!
Thread Closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.
ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
You did a great job!
Thread Closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.
ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
Bobbye
Posts: 16,313 +36
Virut is what's called a polymorphic virus
A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.
or
A type of computer virus that has the capability of changing its own code, allowing the virus to have hundreds, sometimes thousands, of different variants, making it much more difficult to notice and/or detect.
So let's try a different regimen since previous didn't completely remove:
Please follow the list of recommended programs to run> IN ORDER here:
http://forums.majorgeeks.com/showthread.php?t=138601
Try this first: You can give this a try to see if it will work on your OS: Win32/Virut Removal Tool
http://free.avg.com/virus-removal.ndi-67762
If it does not work, go to the steps set up in this link:
http://forums.majorgeeks.com/showthread.php?t=35407
Some of this will be redundant as you have already done it. But run the programs given: NOTE: if you already have the program on your system, UPDATE it before scanning.
Post all of the logs as you did with the TechSpot Steps.
Just like 'germs' for humans, the virus wants to survive. The more things that are thrown at it, the more it's going to change-mutate- to a form that can survive the latest assult. Hopefully this will be a regimented list of program cpable of capturing ALL the morphs at once!
EDIT: No Mike- I don't think they were false positives!
And YOU cannot close a thread!
A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.
or
A type of computer virus that has the capability of changing its own code, allowing the virus to have hundreds, sometimes thousands, of different variants, making it much more difficult to notice and/or detect.
So let's try a different regimen since previous didn't completely remove:
Please follow the list of recommended programs to run> IN ORDER here:
http://forums.majorgeeks.com/showthread.php?t=138601
Try this first: You can give this a try to see if it will work on your OS: Win32/Virut Removal Tool
http://free.avg.com/virus-removal.ndi-67762
If it does not work, go to the steps set up in this link:
http://forums.majorgeeks.com/showthread.php?t=35407
Some of this will be redundant as you have already done it. But run the programs given: NOTE: if you already have the program on your system, UPDATE it before scanning.
Post all of the logs as you did with the TechSpot Steps.
Just like 'germs' for humans, the virus wants to survive. The more things that are thrown at it, the more it's going to change-mutate- to a form that can survive the latest assult. Hopefully this will be a regimented list of program cpable of capturing ALL the morphs at once!
EDIT: No Mike- I don't think they were false positives!
And YOU cannot close a thread!
Polymorpigus What!!! How dare you talk to us like that! Is that some kind of insect?? :grinthumb
Who said I was closing an actual thread, like in locking it from further use like a MOD!.
My closing is just a wrap up. I think everyone else knew that now you do also!
DT can do what he wants. I think he is finished!
You need to read the posts better Bobbye!
Bobbye
Me in post #2
Of your Majorgeeks references one of them is 4 years old and the other going on 2 years old!
Mike
Who said I was closing an actual thread, like in locking it from further use like a MOD!.
My closing is just a wrap up. I think everyone else knew that now you do also!
DT can do what he wants. I think he is finished!
You need to read the posts better Bobbye!
Bobbye
Me in post #2
Of your Majorgeeks references one of them is 4 years old and the other going on 2 years old!
Mike
Bobbye
Posts: 16,313 +36
D
DelJo63
a real GEEK Term: polymorphic
google for "define: polymorphic" and see reference # 3
google for "define: polymorphic" and see reference # 3
Bobbye
Posts: 16,313 +36
Actually, polymorphic is another term borrowed from biology, anatomy and chemistry> kind of like we use the term 'virus':
Gk polýmorphos; see poly-, -morph
poly-a combining form with the meanings “much, many”
morph- combining form meaning “form, structure"
So we end up with a very descriptive term for this virus which changes to many forms!
Capiche!
Gk polýmorphos; see poly-, -morph
poly-a combining form with the meanings “much, many”
morph- combining form meaning “form, structure"
So we end up with a very descriptive term for this virus which changes to many forms!
Capiche!
I can't believe someone had to define polymorphic, it is obvious what the word means...
right I'm a little confused witht what the best course of action is now.
Do I go with Bobby's post, or Mcflyn's? I'm thinking that a format and reboot might just be the only course of action now...
right I'm a little confused witht what the best course of action is now.
Do I go with Bobby's post, or Mcflyn's? I'm thinking that a format and reboot might just be the only course of action now...
Bobbye
Posts: 16,313 +36
I defined it because of the nature of the virus. I don't think you got False Positives. I think the viruses morphed. Some of my post contains steps Mike gave you, but in a different order and with additional programs. It doesn't matter if the page is 'two years old'. The nature of the beast is still the same.
I do not follow the same steps as Mike does after the initial log are given. I open ALL the logs and make my decisions based on what I see and the 'symptoms' the user is having. I don't know what shape your system has ended up in- you may be forced to do the reformat-OR-you can try what I set up.
However, I would suggest you remove ALL the cleaning program that were added first:
OTCleanIt
Download OTCleanIt HERE & save it to your desktop.
Clear your existing System Restore points and establish a new clean restore point:
I'm sorry the problem wasn't resolved.
I do not follow the same steps as Mike does after the initial log are given. I open ALL the logs and make my decisions based on what I see and the 'symptoms' the user is having. I don't know what shape your system has ended up in- you may be forced to do the reformat-OR-you can try what I set up.
However, I would suggest you remove ALL the cleaning program that were added first:
OTCleanIt
Download OTCleanIt HERE & save it to your desktop.
Clear your existing System Restore points and establish a new clean restore point:
I'm sorry the problem wasn't resolved.
- Status
Similar threads
Latest posts
-
Amazon denies claims it started a business just to spy on rivals- midian182 replied
