Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Virut, Win32:CTX, and more?


  • Please log in to reply
16 replies to this topic

#1 ZachIn2036

ZachIn2036

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 24 October 2008 - 12:31 AM

Hello guys. I'm at my wit's end here. I'm usually pretty good at cleaning virii - but I'm used to the easy-to-clean stuff where you boot in safe mode and delete your Local Settings/Temp folder or delete any suspicious stuff in the system32 folder, kill weird processes, msconfig suspicious stuff out of the logon routine, etc. Or, as my IT guy at work says, I know just enough to get myself in REALLY deep without the knowledge to get myself out :thumbsup:

If someone could steer me in the right direction, I'd appreciate it. I was installing a program, and all of the sudden, Avast Antivirus and Comodo Firewall went ballistic. Some of the stuff I caught as it went by were Win32:Virut and Win32:CTX. When I google these, I don't get a very good feeling about my computer's future.

In the meantime, a new Administrator account has been made in Windows XP - I've always only had my own account and that's it. When I'm in normal mode AND safe mode, my task manager is disabled. I get a webpage loaded as an active desktop asking me to go to some .CN website (I'm not THAT dumb). I get a nasty popup that when I googled the text of it, came up as something like Trojan.Fake.D or something.

I have HijackThis on my system and when I look through it, one of the things that stands out to me is this line:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe


Any ideas? Thanks in advance....

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 25 October 2008 - 08:54 AM

You have a nasty infection on your system. Virut/Virtob is a file infector virus with IRC bot functionality which infects all .exe and .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. When disinfection is attempted, the files become corrupted and the system may become irreparable. Please read miekiemoes' Blog on Virut.

Virut/Virtob is contracted and spread by visiting remote, crack and keygen sites. Those who attempt to get software for free may end up with a computer system so badly damaged that recovery is not possible and a Repair Install will NOT help! Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

There is no guarantee the infection can be completely removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ZachIn2036

ZachIn2036
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 25 October 2008 - 01:58 PM

Yikes. Thanks. Seems the best thing to do is get any non-EXE or SCRs off the drive that I need and just dump the partition. I'm not married to everything on my drive (but I'll miss it), and I can get a good amount of it off before I wipe it, provided that it's "safe" for me to use a CD/DVD burning program to back up my My Documents folder, Outlook accounts, Pictures, etc etc.

I don't want to plug my external hard drive into the computer at this point for risk of infection - so I'm going to have to go into the long process of burning to DVD. A 300gb hard drive backed up 4.7gb at a time - but if that's what it takes, that's what it takes.

Thanks for the help! It sounds like with an infection like this, it'd be a waste of the forum's resources and members for me to try to clean the infection and post a HijackThis log for people to dissect.

So...next step: evaluate what I can burn to disc (no EXEs or SCRs!) and get burning.

#4 ZachIn2036

ZachIn2036
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 25 October 2008 - 09:10 PM

Alright, need more advice.

Sorry to post again in my own topic, but I just thought of something and have a question related to my decision to "start over". I need a larger hard drive ANYWAY - so if I decide to just buy a new hard drive and use it as my master (booting with a fresh OS), can I hook this drive up as a slave without the risk of infecting the new drive provided that I don't run any EXE or SCR files? So...what I'd do is hook the infected drive up as a slave, copy the files off of it that I need (again, no EXEs or SCRs), and then repartition the infected drive to wipe the virus. Would that work? Or would some process behind-the-scenes somehow awaken the virus and make it infect the new drive?

Thanks again guys...I'm really frustrated with the whole situation - but if I can go get myself a larger HDD out of it, it's not all bad!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 25 October 2008 - 10:21 PM

If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

If you slave an infected drive to a master, you are at risk of compromising the new drive with infection. It's much safer to back up your data to a CD instead and reformat the infected drive if you want to continue to use it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ZachIn2036

ZachIn2036
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 26 October 2008 - 02:08 AM

Darn. Alright...going to backup around 200gb, 4.7gb at a time. It could be worse.

Thanks for your help, quietman7!

#7 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 26 October 2008 - 02:19 AM

If you haven't already re-formatted, please try runnning this free tol from AVG:
http://www.avg.com/us.virus-removal.ndi-67762
It's a Win32/Virut removal tool and should help...

Also try Dr.Web's CureIT here:
http://www.freedrweb.com/cureit/
. I have seen from many forums that these two are good at removing virut infections.a
It is best to run them from Safe Mode or from a CD running BART like
http://www.hm2k.com/posts/win32-virtob-virut-removal
here

Edited by iisjman07, 26 October 2008 - 02:30 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 26 October 2008 - 07:45 AM

Yes, those tools work against some variants but may not detect/remove everything related to the infection otherwise I would have suggested to use them. If one wants to attempt disinfection, then a comprehensive examination of the system should be conducted using more powerful tools then we recommend here. In order to do that, you have to start by posting a hijackthis log as I previously noted as a starting point. Even then, there is no quarantee that every infected file will be found.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ZachIn2036

ZachIn2036
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 26 October 2008 - 03:46 PM

Yeah...seems like there are too many variables to trying to clean the infection (and remember my virus scanner's coming up with both Virut and CTX - I don't know what CTX is or does, but clearly I've got more going than JUST Virut).

I could probably overthink this all day - do you think it'd be safer for me to boot from a flashdrive running a linux distro in order for me to backup my non-infected stuff, or am I fine just booting to safe mode and running my normal burning programs like CDBurnerXP? I guess I'm just trying to come up with a way to get to and burn my data without "awakening" the virus during the windows load process. Or am I just overthinking it?

#10 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 27 October 2008 - 01:55 AM

No that would probably be the best way to backup your data (using the linux disk)... Remember to scan the usb drive when you plug it in your newly formatted pc

#11 ZachIn2036

ZachIn2036
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 27 October 2008 - 02:50 PM

No that would probably be the best way to backup your data (using the linux disk)... Remember to scan the usb drive when you plug it in your newly formatted pc


Thanks iisjman07 - any recommendation on a thumbdrive linux? I frequent downloadsquad and lifehacker - and saw this today: http://lifehacker.com/5069054/battle-of-th...e-linux-systems

I don't know much anything about linux, but I'm imagining that there's got to be a distro that has a cd/dvd burner on it.

I just figure if I'm booting off of the flash, it won't immediately "awaken" the virus - it'll only replicate if I execute an infected EXE...I think. haha

#12 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 28 October 2008 - 08:32 AM

What would be simplest and best would be to download a linux live CD. Using a thumb drive to boot linux is annoying, because you have to format in a special way and there's little point doing so.... Now you need to decide which Distro you want (basically which version). If you prefer simple, try an Ubuntu Live CD, but the download is pretty big (700mb approx). However, if you prefer a smaller download but a little bit more advcaned I'd recommend Puppy linux (approx 100mb). As for what you know about linux, it doesn't matter... All you need to know now is linux uses different file extensions and has a different kernel to windows. This means that whilst being able to open things like pictures and documents, it can't open things specific to Windows, like .exe's, .dll's and .bat's . This is good because it means your virus cannot run in linux. The ammount of viruses that effect linux I could count on 2 hands, but the ammount that effect windows I would need an awful lot more hands....

http://www.puppylinux.org/downloads
http://www.ubuntu.com/getubuntu/download


#13 ZachIn2036

ZachIn2036
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 28 October 2008 - 10:18 AM

What would be simplest and best would be to download a linux live CD. Using a thumb drive to boot linux is annoying, because you have to format in a special way and there's little point doing so...


Will I need two disc drives to do this? I mean, to run a linux distro from disc and then burn DVDs from it in order to back my stuff up? I've only got one - which is why the flash drive method appealed to me - but if I can load linux from the CD and it somehow stays memory resident so I can use my burner to back stuff up, then that's cool. Or, of course, if I can just temporarily install it on its own partition, boot into linux, do my backing up, then wipe and repartition the drive and start from scratch...

#14 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 28 October 2008 - 11:44 AM

What I meant was you use the CD to run Linux (thats the only CD you'll need). Then you can plug in a thumb drive and backup your files... sorry if my explanation confused you...

If you are still arn;t completely sure this web page should help clear things up:
http://www.howtogeek.com/howto/windows-vista/use-ubuntu-live-cd-to-backup-files-from-your-dead-windows-computer/

In the middle of the page there is a section on what to do when you can't 'mount' (open) your drive. Don't read this unless you get the same problem, as it can be daunting and may put you off the whole idea...

PS: You may find it to be a bit slow, this is because it's running off the CD, and a CD is slower than a hard drive.

If you need help finding out where files may be don't hesitate to ask...

#15 ZachIn2036

ZachIn2036
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 28 October 2008 - 12:09 PM

Thanks, iisjamn07 - that guide is better than the others I had seen out there (hooray, screenshots!)

So...what I'm guessing I'm seeing is that Ubuntu will give me the option to even install to the HDD that I've got Windows on in the free space (can it pull free space out of another partition and into its own)? My big concern is that I have about 200gb of stuff I need to back up, so it's got to go onto DVDs (4.7gb at a time - snore), so I'll need to install linux and then take the linux CD out so I can put in blank DVDRs and burn stuff.

Otherwise, I've been doing a lot of reading on the linux option and I like it, since I still get a functional GUI without evoking any Windows EXEs, and thus, the virus stays dormant.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users