Viruses! Virut, heur, cryptor

By dt1986 · 34 replies
Apr 7, 2009
  1. Hi,

    I got an AVG alert of several viruses and can't get rid of them. I have ran the 8 steps and have attached the required logs. Would be very greatful if anyone can help.

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Make a folder on Desktop name FixVirut

    Download next 2 files and move both into the folder.

    Download the below to desktop

    Then reboot to Safe Mode

    Enter the FixVirut folder and run rmvirut.exe

    When it finishes run the on the desktop. If the above requires a reboot the reboot back to Safe mode to run this one.

    When finished reboot back to normal and run MBAM again but this time click to delete what is found. You did not before as log says "No Action taken". Post this new log!

    Post a new HJT log last!

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Before you do anything else. UPDATE and rescan with Malwarebytes. The malware entries show " No action taken." which means you did not check the line: * Make sure that everything is checked, and click Remove Selected."

    This means that the Vundo, Zlob and Virut entries did not get removed and are still on the system

    You are also running Teatimer:
    Real Time Protection needs to be temporarily disabled BEFORE the scans:

    You are running BitCommet which is a file sharing (P2P) program. By using this, you expose the system to constant malware .
    NOTE: above has been customized for this user.

    It appears that you had Norton Security at some time. An uninstallation was not complete and this Service remains:
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

    Please click on Start> Run> services.msc> double click on Symantec Lic NetConnect service (CLTNetCnService)> change Startup type to Disabled> Stop the Service.

    Use the Norton Removal Tool to make sure all entries have been removed:

    A NOTE to the member helping: It is important to OPEN and REVIEW the first set of logs. Entries can be dealt with as needed.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Good post Bobbye :grinthumb
    We are all still grateful for all the Malware Support helpers at TechSpot, please take Bobbye's post as positive constructive criticism
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    I told him the same thing!

    But because of the hard to remove Virut I want it removed first!

    In Safe mode teatimer is not running!

    DT do my post #2 as I posted completely before continuing then do the P2P removals as above!

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    The original scans were run with TeaTimer running. That makes them invalid to some point. It is my thought that MBAM should have been dealt with as soon as you saw nothing was removed.
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    Thanks again Bobbye for

    Besides who ever heard of Adwatch finding or blocking anything!

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I used the paid AdAware with AdWatch for years. Since AdWatch ran in Real Time, whenever anything attempted to make a change in the Registry, I got an Alert. It was then up to me to allow or not allow. An advanced user would be safe shutting this Alert off. Inexperienced users should use the "if you don't know don't allow it" principal we often suggest.

    But we are told that Real Time Protection should be temporarily disabled BEFORE the scans. This is one reason that I check a log when only HijackThis is given-
  9. dt1986

    dt1986 TS Rookie Topic Starter

    Hi, thanks for the advice.

    I tried to stop the tea timer but an error came up so I just uninstalled it. Bit Comet has been on my laptop for years but I don't actually use it so I have uninstalled that too along with AutoCad and SpaceGass because my licences for them have ran out.

    It appears that I posted the wrong MBAM log onto the original thread because I was certain I did remove some things off the system. I have attached the correct original one.

    I ran the tests as described by mflynn and it came up that there are no traces of the virut virus on my laptop.

    I have re ran MBAM and this confirms this (log is attached) and I have also attached the latest HJT log.

    If there is anything else I should do, please let me know.

    Also would you recommend a different virus scanner other than AVG? AVG seems to be very sluggish nowadays (ie slowing my laptop considerably when running a scan and taking 3 hours to complete).



    Attached Files:

  10. mflynn

    mflynn TS Rookie Posts: 2,655

    OK good job, looking good.

    Run HJT Scan only, select to Fix the below...
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    Then do the below..

    Download ComboFix

    Get it here:
    Or here:

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

  11. dt1986

    dt1986 TS Rookie Topic Starter

    ok combofix and HJT logs are both attached.

    Attached Files:

  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok you appear clean so we will now address the Virus cleaner.

    Yes there is a much better Virus scanner Avira it can be downloaded from the 8 Steps page.

    But first you should uninstall AVG properly to do that follow theses steps.

    In Control panel Add/Remove unistall AVG

    then after a reboot do the below.

    AVG remover and run:

    Download extract and run Kleaner

    Then install Avira update and do full scan it is very good and will likely find issues. Post its log.

    You will definitely notice a substantial performance increase.

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    When I suggest a change in antivirus programs, I do it a bit differently in order to always have some protection on the system:

    1. Download the new AV and SAVE to the desktop. Do NOT run it from the site and do not run it yet from the desktop yet.
    2. Download the AVG Remover and SAVE to your desktop. DO NOT run from the site and do not run from the desktop yet.
    3. Boot into Safe Mode: go to File> Work Offline
    This will stop the internet connection so that you are not vulnerable.
    4. Uninstall AVG. I haven't used the remover but when I uninstalled my AVG, I just took it off of start-up> Disable the Services> Uninstalled the program. The remover may do this all for you,

    5. Double click the new AV on the desktop to install it. Follow the prompts
    6. When installation is complete, reboot the computer into Normal Mode. When asked if you want to go back online, answer Yes.
    7. Update the new AV immediately and then run a complete system scan.
  14. dt1986

    dt1986 TS Rookie Topic Starter

    Scan revealed more viruses and has quarentined them all. Getting slightly depressed by this all!

    Attached Files:

  15. mflynn

    mflynn TS Rookie Posts: 2,655

    Well just in time then the found items were false positives.

    You did a great job!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    Run CCleaner (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner Temp and Registry, repeatedly until no more found.

    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    Yes! Even if you use system restore and other backups Registry and Images.

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.
    Look at

    Run SpyBot ocassionally and use the Immunize function.

    I highly reccomend Hostman: Hostman

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Virut is what's called a polymorphic virus

    A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.

    A type of computer virus that has the capability of changing its own code, allowing the virus to have hundreds, sometimes thousands, of different variants, making it much more difficult to notice and/or detect.

    So let's try a different regimen since previous didn't completely remove:
    Please follow the list of recommended programs to run> IN ORDER here:

    Try this first: You can give this a try to see if it will work on your OS: Win32/Virut Removal Tool

    If it does not work, go to the steps set up in this link:

    Some of this will be redundant as you have already done it. But run the programs given: NOTE: if you already have the program on your system, UPDATE it before scanning.

    Post all of the logs as you did with the TechSpot Steps.

    Just like 'germs' for humans, the virus wants to survive. The more things that are thrown at it, the more it's going to change-mutate- to a form that can survive the latest assult. Hopefully this will be a regimented list of program cpable of capturing ALL the morphs at once!

    EDIT: No Mike- I don't think they were false positives!
    And YOU cannot close a thread!
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Polymorpigus What!!! How dare you talk to us like that! Is that some kind of insect?? :grinthumb

    Who said I was closing an actual thread, like in locking it from further use like a MOD!.

    My closing is just a wrap up. I think everyone else knew that now you do also!

    DT can do what he wants. I think he is finished!

    You need to read the posts better Bobbye!

    Me in post #2
    Of your Majorgeeks references one of them is 4 years old and the other going on 2 years old!

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

  19. mflynn

    mflynn TS Rookie Posts: 2,655


    You are a Hoot Bobbye!:stickout:

    Well I still like you Bobbye and don't care what the others say!:approve:

    Well enough fun for now.

    Nite Bobbye!

  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Others say that Bobbye is the best here ;)

    As for Avira finding 15 Viruses and removing them, yep that sounds correct to me being an AVG hater.
  21. jobeard

    jobeard TS Ambassador Posts: 11,166   +986

    a real GEEK Term: polymorphic

    google for "define: polymorphic" and see reference # 3 :)
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Actually, polymorphic is another term borrowed from biology, anatomy and chemistry> kind of like we use the term 'virus':

    Gk polýmorphos; see poly-, -morph
    poly-a combining form with the meanings “much, many”
    morph- combining form meaning “form, structure"

    So we end up with a very descriptive term for this virus which changes to many forms!

  23. dt1986

    dt1986 TS Rookie Topic Starter

    I can't believe someone had to define polymorphic, it is obvious what the word means...

    right I'm a little confused witht what the best course of action is now.

    Do I go with Bobby's post, or Mcflyn's? I'm thinking that a format and reboot might just be the only course of action now...
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I defined it because of the nature of the virus. I don't think you got False Positives. I think the viruses morphed. Some of my post contains steps Mike gave you, but in a different order and with additional programs. It doesn't matter if the page is 'two years old'. The nature of the beast is still the same.

    I do not follow the same steps as Mike does after the initial log are given. I open ALL the logs and make my decisions based on what I see and the 'symptoms' the user is having. I don't know what shape your system has ended up in- you may be forced to do the reformat-OR-you can try what I set up.

    However, I would suggest you remove ALL the cleaning program that were added first:
    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:

    I'm sorry the problem wasn't resolved.
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    DT you are clean no format!!!!!

    And you have already done the OTClean and cleamgr in post #15. So no need to repeat!

    Your computer is running good now is it not??

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...