Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtool: Win32/obfuscator!mal


  • Please log in to reply
6 replies to this topic

#1 tesyeuxnoirs

tesyeuxnoirs

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 20 January 2008 - 01:29 AM

Hello everyone, I've come to bleepingcomputer.com after a week of trying to fix this myself. This seems like the place with the most talent to seek help from.

OS: Windows XP home

Symptoms/Concerns:

1. Cannot open hard drives (when I double-click my hard drives, I get a prompt that asks me what program I want to open it with).
2. Cannot view hidden files; cannot make files viewable or hidden
3. I am worried about losing banking/identity information, keylogging, and the like.

Things I've tried:

1. Microsoft's onecare.live.com security scanner
2. Using Avast virus scanner
3. Booting into safe mode and running AVG's vcleaner.exe

After running the security scanner with IE at onecare.live.com from Microsoft, I was told I have VirTool: Win32/Obfuscator!Mal on my computer. Microsoft's scanner was unable to get rid of my problem. Other scanners do not detect it and I have not been able to remove it.

Thank you very much for your time.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 AM

Posted 20 January 2008 - 10:06 AM

From what you describe, it appears to be a flash drive infection. Symptoms include the inability to open drives/partitions.

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive before we begin!

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Please download MsnCleaner.zip and save to you Desktop. In addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.
  • Extract (unzip) the file to your desktop. (click here if your not sure how to do this) but DO NOT use it yet.
  • Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Double-click MsnCleaner.exe to run the tool.
  • Click the "Analyze" button.
  • A report will be created after the scan and will be saved to C:\MsnCleaner.txt.
  • If it finds an infection, click the "Deleted" button.
  • Reboot normally and post the contents of MsnCleaner.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tesyeuxnoirs

tesyeuxnoirs
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 20 January 2008 - 05:33 PM

Hi, I wanted to thank you for helping me get started and for the extent of your knowledge. :thumbsup:

Before your reply, I left Kaspersky Anti-Virus (6.0.3.837) running overnight and today afternoon before I got to your reply, it told me this:

deleted: virus Worm.Win32.Autorun.bua. Object: File: C:\autorun.inf.

deleted: virus Worm.Win32.Autorun.bua Object: File: D:\autorun.inf.

I then went to install and run the Flash_Disinfector you recommended and it completed everything successfully.

Then, I downloaded and extracted the MsnCleaner.exe, and proceeded to boot into safe mode.

But then when I went to logged into Windows in Safe Mode and hit Enter after typing in my password, my system rebooted itself into normal mode.

(I logged in with the account I created and not "Administrator," though I don't know enough about computers to know if this makes a difference. When booting into windows normally, only the account name I created is displayed and "Administrator" doesn't show).

I can access my drives normally now and change my folder options to view hidden files and un-hide ones I need, I think it was Kaspersky's and Flash_Disinfector's doing. However, I found it weird being kicked out of safe mode and into a normal reboot.

What do you recommend? Thank you very much for your time.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 AM

Posted 21 January 2008 - 07:42 AM

Can you post the results from C:\MsnCleaner.txt?

I didn't know you were going to run a scan with Kaspersky AV in addition to what I instructed. So from the steps you describe it appears Kaspersky may have deleted something causing your issue. Can you post the results of that scan? Did it delete or quarantine what if found?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tesyeuxnoirs

tesyeuxnoirs
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 January 2008 - 08:38 PM

Hello,

I wasn't able to run Msncleaner.exe in safe mode because I my computer rest itself into normal booting mode.

Here are the results of the Kaspersky Anti-Virus scan; those two auto-run files were deleted from the system and not quarantined:

deleted: virus Worm.Win32.AutoRun.bua File: C:\autorun.inf
deleted: virus Worm.Win32.AutoRun.bua File: D:\autorun.inf

Tomorrow I will boot into safe-mode and run Msncleaner.exe (too many reserach program applications to fill out!)

Thank you very much for your time, patience, and expertise.

#6 jsant013

jsant013

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 04 January 2009 - 06:29 PM

Hello,
I am currently running windows live one care. I have no viruses but everytime i start up my laptop Virtool:Win32/obfuscator.DV has to be removed by the windows live one care. Why wont it permenately remove it? How can I permantely remove it?
Thank you!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 AM

Posted 04 January 2009 - 10:16 PM

Welcome to BC jsant013

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users