Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.Virut.Gen


  • This topic is locked This topic is locked
33 replies to this topic

#1 pasquale666

pasquale666

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 24 October 2008 - 06:00 PM

Dear All,

My PC (equipped with Windows XP) has been infected with Win32.virut.gen virus. I have tried the following actions:

1) formatting (the only partition I have) and re-installing the OS
2) running SFC
3) running rmvirut
4) disabling System Restore

after that the virus is still in there. I don't know what else to try then for you you're my last resort.

I attach the Hijackthis log as well.

Thanks for helping me!


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:18:23, on 25.10.2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\ISW\alice\signup\alicecnn.exe
C:\Programme\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice-dsl.de
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [saf] C:\WINDOWS\system32\daskj.exe
O4 - HKLM\..\Run: [Microsoft Anivirus Monitor Process] antiv.exe
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Programme\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [aaafxwtd] %systemroot%\aaafxwtd.exe
O4 - HKLM\..\RunServices: [Microsoft Anivirus Monitor Process] antiv.exe
O4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{85E9C61D-CA13-4795-B3AB-E5928D166B05}: NameServer = 213.191.74.19 62.109.123.197
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Local Service - Unknown owner - C:\WINDOWS\wuaucpl.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Programme\PC Tools AntiVirus\PCTAVSvc.exe

--
End of file - 3119 bytes

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Attached Files



BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:50 PM

Posted 24 October 2008 - 10:29 PM

Hello pasquale666

Welcome to BleepingComputer :thumbsup:
========================
Virut is a file infector it has probably infected most if not all of the exe's on your computer;
Even if we attempt to clean this machine I can't guarantee that it will work correctly afterwards.
I really do think that you need to reformat again and start from sctrach with this one.
But if you do not wish to reformat again then we will attempt to clean it.
=============================================
Also one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 25 October 2008 - 03:03 AM

Hi Kahdah,

thanks for your reply! Indeed I would not mind reformatting my system as in this very moment there are no many data/programs on it. The issue is that I have already reformatted the system once and afterward the system was still there.

Do you have any idea why? Seemingly there must be some location where the virus is hiding which I did not clean at all. This computer has only one partition...

Can you help?

thanks!

#4 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 25 October 2008 - 05:45 AM

a quick addendum...

indeed there is a primary C partition which takes almost the whole disk capacity plus a tiny unallocated logical partition which takes approx 10MB.

Can the virus reside in such unallocated logical partition?

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:50 PM

Posted 25 October 2008 - 06:16 AM

If it is unallocated then it would not be a ble to stay or go to that patition.
There would have to be a file system on the partition in order for it to infect something.

Did you happen to back up any files to a flash drive prior to reformat?
If so then the flash drive is more than likely infected.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 25 October 2008 - 06:24 AM

i didn't back up anything on a flash drive...I will describe quickly what I did:

1) formatted C: by means of Windows Installer (from the original CD)
2) installed the internet provided software
3) downloaded PC tool antivirus
4) discovered that nothing had changed :-(

I can't really figure out where the virus reside or what I did wrongly...

#7 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 25 October 2008 - 07:17 AM

maybe an alternative would be cleaning the computer and then in case reformatting?

what you think?

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:50 PM

Posted 25 October 2008 - 07:24 AM

We will attempt to clean this computer.
It is odd that you refornmatted but it is still there.
You did Delete the Partion and start from scratch correct?
===============================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 25 October 2008 - 12:26 PM

yap I did delete C...I am puzzled as well...

attached are the logs.

thanx

Attached Files


Edited by pasquale666, 25 October 2008 - 12:44 PM.


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:50 PM

Posted 25 October 2008 - 02:08 PM

Hi please delete your version of Combofix and then do the following:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 25 October 2008 - 04:19 PM

Hi Kahdah,

here the COMBOFIX log!

Ciao

Attached Files



#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:50 PM

Posted 25 October 2008 - 05:11 PM

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/176214/infected-with-win32virutgen/?p=985891

Driver::
Local Service

Collect::
C:\WINDOWS\EXPLORER.000
C:\WINDOWS\system32\SPOOLSV.001
C:\WINDOWS\system32\CTFMON.001
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\SPOOLSV.000
C:\WINDOWS\system32\CTFMON.000
C:\WINDOWS\system32\ywuqhsda.tmp
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\drivers\fdgokpadajtrkfy.sys 
C:\WINDOWS\system32\SPOOLSV.002


Rootkit::
C:\WINDOWS\system32\drivers\fdgokpadajtrkfy.sys 
C:\WINDOWS\system32\SPOOLSV.002

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Edited by kahdah, 25 October 2008 - 05:16 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 26 October 2008 - 05:38 AM

Here the log as per last message!

PS some comments are in German (as I have got a German Windows XP) Hope this is not a big issue!

Attached Files



#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:50 PM

Posted 26 October 2008 - 07:53 AM

Hi that looks like the prevous Combofix run.
Did you create the cf script and drag and drop it onto Combofix?

If not then please see my previous post and do so thanks.
If you did then we will continue another way.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 pasquale666

pasquale666
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 26 October 2008 - 12:42 PM

yes I followed your instructions and that's what I got.

Anyhow it seems there is something impeding combofix to work properly (I get a message with something wrong with hidec.exe)

ciao




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users