Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection win32/virut.aj.dropper and win32/virut.aj.dropper


  • This topic is locked This topic is locked
3 replies to this topic

#1 DiTcH_Nz

DiTcH_Nz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 05 February 2009 - 11:13 PM

EDIT - Sorry Just noticed the Title was wrong - should be "trojan horse rootkit-agent.bu and win32/virut.aj.dropper"

Hi

I have been having trouble over the last few days with various malware/spyware/virus/trojans etc
I have cleaned with MalwareBytes, SuperSpywareScanner, Enod32, AVG Free 8, Counterspy and they find and remove them, but a little bit later they are back - i.e. avg finds them again when they pop up
Also worth nothing is that my windows xp welcome screen no longer displays - only the ole style network logon. I have checked the gina dll and also the options in control panel/users but that does not restore them

The virus's that are being found are
trojan horse rootkit-agent.bu
win32/virut.aj.dropper
also sometimes spamtool.aqy

Another thing is that I am unable to browse web pages on my PC - both IE and Firefox just display blank pages everytime (I am currently on another machine)

Cheers In Advance
DiTcH

DDS.Log

DDS (Ver_09-02-01.01) - NTFSx86
Run by DiTcH at 14:01:06.85 on Fri 06/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2047.1576 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\_Firefox Downloads\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SBAMTray] c:\program files\sunbelt software\counterspy\SBAMTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233795366829
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233795356782
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ditch\applic~1\mozilla\firefox\profiles\p8b4kz2j.default\
FF - prefs.js: network.proxy.type - 4

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-5 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-5 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-5 107272]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-2-5 13360]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-5 353680]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-5 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-5 298264]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\sunbelt software\counterspy\SBAMSvc.exe [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-2-5 69168]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\201.tmp --> c:\windows\system32\201.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]

=============== Created Last 30 ================

2009-02-06 13:47 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2009-02-06 08:39 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-02-06 08:30 <DIR> --d----- c:\program files\Trend Micro
2009-02-06 08:25 <DIR> --d----- c:\program files\FileASSASSIN
2009-02-06 08:10 <DIR> --d----- c:\windows\pss
2009-02-06 07:09 <DIR> --d-h--- c:\windows\$hf_mig$
2009-02-05 20:41 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-02-05 20:41 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-02-05 20:41 6,400 a------- c:\windows\system32\drivers\enum1394.sys
2009-02-05 20:40 74,240 a------- c:\windows\system32\usbui.dll
2009-02-05 20:39 <DIR> --d----- c:\program files\common files\ODBC
2009-02-05 20:39 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-02-05 20:39 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-02-05 20:37 37,484 ac------ c:\windows\system32\dllcache\MW770.CAT
2009-02-05 20:37 13,472 ac------ c:\windows\system32\dllcache\HPCRDP.CAT
2009-02-05 20:37 8,574 ac------ c:\windows\system32\dllcache\IASNT4.CAT
2009-02-05 20:37 7,382 ac------ c:\windows\system32\dllcache\OEMBIOS.CAT
2009-02-05 20:37 7,334 ac------ c:\windows\system32\dllcache\wmerrenu.cat
2009-02-05 20:37 1,042,903 ac------ c:\windows\system32\dllcache\SP2.CAT
2009-02-05 20:37 797,189 ac------ c:\windows\system32\dllcache\NT5IIS.CAT
2009-02-05 20:37 399,645 ac------ c:\windows\system32\dllcache\MAPIMIG.CAT
2009-02-05 20:37 <DIR> --d----- c:\windows\system32\CatRoot2
2009-02-05 20:37 <DIR> --d----- c:\windows\system32\CatRoot
2009-02-05 20:36 <DIR> --d----- C:\Documents and Settings
2009-02-05 20:35 261 a------- c:\windows\system32\$winnt$.inf
2009-02-05 16:32 <DIR> --d----- c:\docume~1\ditch\applic~1\Malwarebytes
2009-02-05 16:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-05 16:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-05 16:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-05 16:15 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-05 16:15 <DIR> --d----- c:\docume~1\ditch\applic~1\SUPERAntiSpyware.com
2009-02-05 15:35 <DIR> --d----- c:\program files\Sophos
2009-02-05 13:23 <DIR> --d----- c:\program files\Realtek Sound Manager
2009-02-05 13:23 <DIR> --d----- c:\program files\AvRack
2009-02-05 13:23 <DIR> --d----- c:\program files\Realtek AC97
2009-02-05 13:10 <DIR> --d----- c:\program files\TV Whore
2009-02-05 13:09 <DIR> --d----- c:\program files\MP3TagClinic41
2009-02-05 13:06 <DIR> --d----- c:\program files\Bulk Rename Utility
2009-02-05 13:02 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-02-05 12:55 <DIR> --d----- c:\program files\SpiritPyre Extensions
2009-02-05 12:54 <DIR> --d----- c:\program files\Media Whore
2009-02-05 12:37 <DIR> --d----- c:\program files\Zone Labs
2009-02-05 12:36 <DIR> --d----- c:\program files\VSO
2009-02-05 12:35 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-02-05 12:34 <DIR> --d----- c:\program files\Skype
2009-02-05 12:04 <DIR> --d----- c:\program files\ProcessExplorer
2009-02-05 12:00 <DIR> --d----- c:\program files\GIGABYTE
2009-02-05 11:58 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-05 11:40 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-02-05 11:40 <DIR> --d----- c:\program files\common files\TiVo Shared
2009-02-05 11:40 <DIR> --d----- c:\program files\Roxio
2009-02-05 11:39 <DIR> --d----- c:\program files\Sonic
2009-02-05 11:33 <DIR> --d----- c:\program files\PowerISO
2009-02-05 11:27 <DIR> --d----- c:\docume~1\ditch\applic~1\Sunbelt
2009-02-05 11:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-02-05 11:27 <DIR> --d----- c:\program files\Sunbelt Software
2009-02-05 11:17 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-05 11:15 <DIR> --d----- c:\program files\MSXML 4.0
2009-02-05 10:55 <DIR> --ds---- c:\documents and settings\ditch\UserData
2009-02-05 10:54 <DIR> --d----- c:\program files\AVG
2009-02-05 10:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-05 10:47 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-02-05 10:47 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-02-05 10:47 <DIR> --d----- c:\program files\common files\MSSoap
2009-02-05 10:45 <DIR> --d----- c:\program files\Online Services
2009-02-05 10:45 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-02-05 10:45 <DIR> --d----- c:\program files\Messenger
2009-02-05 10:45 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-02-05 10:45 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-02-06 08:57 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-06 08:57 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-06 08:57 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-06 08:20 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-05 12:38 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-05 12:16 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-05 10:46 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-11 20:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 21:53 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-12-08 04:08 795,648 a------- c:\windows\system32\xvidcore.dll
2008-12-08 04:08 130,048 a------- c:\windows\system32\xvidvfw.dll
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll

============= FINISH: 14:01:31.42 ===============

Attached Files


Edited by DiTcH_Nz, 05 February 2009 - 11:19 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 14 February 2009 - 11:24 AM

Hello.

Virut is a very nasty infection.

Posted ImageVirut File Infector Warning
Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Tell me what you wish to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 17 February 2009 - 08:43 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 19 February 2009 - 05:26 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy


Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users