Thekeys.ws virus infected my computer

[Weslley]

Hello, I downloaded a file from thekeys.ws and it turned out to be a virus. I read the 8 step guide and I've done the first 4 steps. But when I use the SuperAntiSpyware scan my computer crashes in the middle of the scanning process. The screen will turn blue and gives me this error (xxx stop: 0x00000050 ( 0x12825d7d0, 0x00000000, 0x84A12F51, 0x00000000). So I went on with the 6th step updating java. I just deleted the old one (wich was out of date) but I didn't downloaded the new version. After that I ran HijackThis. I have AVG version 8.5. And it keeps giving my trojan alerts and malware ect. ect. when turned on (turned off during the 8 steps). So I have the anti malware log and the HijackThis log but I couldn't run the SuperAntiSpyware scan till the end.

I hope somebody can help me,
Thanks

 

[Bobbye]

Weslley, welcome to TechSpot. It appears that you have a Virut infection;
reader_s.exe Added by the Virus.Win32.Virut.n TROJAN
FASTNETSRV.EXE (Trojan.Agent/Gen-Virut[FNS])

Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

And I can say anything better or different than what you can read here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


Change all of your passwords and monitor any online transactions.

Before we make it all doom and gloom, let's check to be sure:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


You also have a Backdoor.Win32.HareBot TROJAN: (restorer32_a.exe)

Some characteristics are: RogueAntiSpyware.HomeAntiVirus2010 displays fake alerts and scan results in malware payloads in order to persuade users into buying the rogue antispyware products.

The dangers are that it is a virus capable to modify other files by infecting, prepending, or overwriting them them with its own body and/or a malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
Source: Threat Expert.

If Virut is confirmed, I will recommend thaty ou reformat/reinstall. There is no 'fix' for this. Due to it's very nature, you fix one form and it becomes another form.

P2P or 'file sharing: P2P Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Limewire for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

Give me the log from the Virut scan and we'll go from there.

 

[Weslley]

Hey, I gues something went wrong with my post. Anyways, I followed your steps and the VIRscan did indeed found a virut infection... never heard of it before but now I know what it is for the next time. I formatted my computer and it is running smoothly again. Thanks for your help.

 

[Bobbye]

I got the reply in my email feedback:

Here is the message that has just been posted:

And last but not least C:\WINDOWS\System32\svchost.exe:

VirSCAN.org Scanned Report :
Scanned time : 2009/11/04 14:02:37 (CET)
Scanner results: Geen enkele scanner vond malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e410ec73e2be2a41d923b006f51c8427
SHA1 : c9aef0e56bff968edf21c416d5403e9470951da3
Online report : http://virscan.org/report/53b0b69ec95363100d93d42d78590937.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091104053131 2009-11-04 0.08 -
AhnLab V3 2009.11.04.07 2009.11.04 2009-11-04 0.08 -
AntiVir 8.2.1.53 7.1.6.187 2009-11-04 0.39 -
Antiy 2.0.18 20091104.3209957 2009-11-04 0.12 -
Arcavir 2009 200911040308 2009-11-04 0.03 -
Authentium 5.1.1 200911032247 2009-11-03 1.20 -
AVAST! 4.7.4 091103-1 2009-11-03 0.00 -
AVG 8.5.288 270.14.49/2480 2009-11-04 0.32 -
BitDefender 7.81008.4481134 7.28737 2009-11-04 3.88 -
CA (VET) 35.1.0 7101 2009-11-03 0.08 -
ClamAV 0.95.2 9984 2009-11-04 0.01 -
Comodo 3.12 2836 2009-11-04 0.08 -
CP Secure 1.3.0.5 2009.11.04 2009-11-04 0.04 -
Dr.Web 4.44.0.9170 2009.11.04 2009-11-04 6.37 -
F-Prot 4.4.4.56 20091103 2009-11-03 1.20 -
F-Secure 7.02.73807 2009.11.04.05 2009-11-04 8.86 -
Fortinet 2.81-3.120 11.20 2009-11-04 0.10 -
GData 19.8718/19.534 20091104 2009-11-04 0.08 -
ViRobot 20091104 2009.11.04 2009-11-04 0.08 -
Ikarus T3.1.01.74 2009.11.04.74451 2009-11-04 3.99 -
JiangMin 11.0.800 2009.11.03 2009-11-03 0.09 -
Kaspersky 5.5.10 2009.11.04 2009-11-04 0.06 -
KingSoft 2009.2.5.15 2009.11.4.16 2009-11-04 0.08 -
McAfee 5.3.00 5791 2009-11-03 3.39 -
Microsoft 1.5202 2009.11.04 2009-11-04 0.08 -
Norman 6.01.09 6.01.00 2009-11-03 4.01 -
Panda 9.05.01 2009.11.03 2009-11-03 0.08 -
Trend Micro 8.700-1004 6.602.01 2009-11-03 0.03 -
Quick Heal 10.00 2009.11.04 2009-11-04 0.08 -
Rising 20.0 21.54.24.00 2009-11-04 0.08 -
Sophos 3.00.1 4.46 2009-11-04 2.88 -
Sunbelt 5486 5486 2009-11-03 0.08 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091104.02 6101314 2009-11-04 0.09 -
The Hacker 6.5.0.2 v00060 2009-11-03 0.08 -
VBA32 3.12.10.11 20091103.1333 2009-11-03 2.07 -
VirusBuster 4.5.11.10 10.113.6/1999007 2009-11-03 2.47 -


Well, I think reformatting is the correct thing to do after reading your reply. There are a few foto's on this computer that need to be saved so my question is if I can put them on my USB stick without any problem's or danger that if I put them back after reformatting that the problem's start again?

--------------------------------------------------------------------------------

I went to the URL for the scan and English was " Scanners did not find malware!" But I only see the scan for svchost.exe. This scan is meant to be a check for the Virut malware when it is strongly suspected. But since two security programs identified Virut, a reformat/reinstall would be recommended.

To answer the question you asked but didn't wait for reply:

if I can put them on my USB stick without any problem's or danger that if I put them back after reformatting that the problem's start again

If the files you copied were infected and you then put them back on the computer, you may have infected the system again. This is especially true if the files had an executable.

 

[Weslley]

Hey, Í made 2 reply's, in the first one I added the other scan results, in those files the program found a virut infection. But it found nothing in the last one that you received. I just deleted all the files, I didn't bother to save them. So I gues everything is fixed now. Thank for the help.

 

[Bobbye]

So the cleaning tools have been removed and the old restore points are gone- right?

To help you stay safe on the future:
Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP1
• Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and useed to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
back to the thread.