Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just recovered from 2 attacks and over zealous cleanup.


  • Please log in to reply
6 replies to this topic

#1 brian2009

brian2009

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 24 February 2009 - 01:53 AM

Added: Could someone examine my current setup log to see how stable all my fixes (described below) have worked?




During (right after) a scan was done by Avira ..the computer froze and I couldn't get a report to look at. It said it had to restart in order to delete more files...but after that I fell into a Log On-Loop because my XP-SP1 Windows/System32/userinit.exe file had been deleted. I managed to get it loaded back on with a BartPE cd I had to create.

Seems to be running fairly well now..and I have no more log in problems. But I think quite a few of my files were damaged. During the prior Avira scan 11,000 very small exe programs had been found and removed. Per the event log, it was W32/Virut.AX.

Here is the most recent Avast logs and what its found.

2/14/2009 11:40:45 AM SYSTEM 1056 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "C:\WINDOWS\Fonts\wmsncs.exe" file.
2/14/2009 11:41:17 AM SYSTEM 1056 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "C:\Program Files\Common Files\System\wmsncs.exe" file.
2/14/2009 11:41:18 AM SYSTEM 1056 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "C:\WINDOWS\System32\spool\drivers\wmsncs.exe" file.
2/14/2009 11:41:19 AM SYSTEM 1056 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "C:\WINDOWS\System32\wins\wmsncs.exe" file.
2/14/2009 11:41:32 AM SYSTEM 1056 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\System32\irdvxc.exe" file.
2/14/2009 11:44:47 AM 2372 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "c:\program files\common files\system\wmsncs.exe" file.
2/14/2009 11:45:25 AM 2372 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "c:\windows\fonts\wmsncs.exe" file.
2/14/2009 11:45:52 AM 2372 Sign of "Win32:Allaple [Wrm]" has been found in "c:\windows\system32\irdvxc.exe" file.
2/14/2009 11:48:36 AM 2476 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
2/14/2009 11:52:15 AM SYSTEM 1064 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "C:\WINDOWS\Fonts\wmsncs.exe" file.
2/14/2009 11:52:37 AM SYSTEM 1064 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "C:\WINDOWS\Fonts\wmsncs.exe" file.
2/14/2009 11:56:15 AM 2372 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "c:\windows\system32\spool\drivers\wmsncs.exe" file.
2/14/2009 11:56:29 AM 2372 Sign of "Win32:Kolabc-DU [Wrm]" has been found in "c:\windows\system32\wins\wmsncs.exe" file.
2/14/2009 3:08:38 PM 2644 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
2/15/2009 6:14:35 AM SYSTEM 1048 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
2/15/2009 1:48:29 PM SYSTEM 1044 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\.exe" file.
2/15/2009 10:08:30 PM SYSTEM 1044 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\ftpupd.exe" file.
2/16/2009 11:50:03 AM SYSTEM 1016 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
2/22/2009 7:27:55 PM SYSTEM 976 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2/22/2009 10:08:57 PM 3328 Sign of "Win32:SdBot-gen44 [Trj]" has been found in "C:\WINDOWS\Debug\DCPROMO.LOG" file.
2/22/2009 10:27:49 PM 3328 Sign of "Win32:Virut-C" has been found in "C:\WINDOWS\system32\config\software.old" file.
2/22/2009 10:37:17 PM 3328 Sign of "VBS:Malware-gen" has been found in "C:\WINDOWS\system32\w" file.

Thanks

Like I said, it seems to be running and scanning ok now, but I'm concerned that it/they might be lurking around unseen (by me anyway).

Just as I was typing this I ran Malwarebytes which found and deleted one item...which I have seen before.

egiscatoolbar.dll (I can't seem to pull up the exact report)

Edited by brian2009, 24 February 2009 - 11:54 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 24 February 2009 - 05:47 PM

Hello.

Very Very Very nasty infection you have. The unfamous "Virut-File Infector" appearing these days.

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean Reinstall or Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

Tell me what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 brian2009

brian2009
  • Topic Starter

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 25 February 2009 - 01:58 AM

Thanks for the response. Though that's bad news.

I will back-up what I can of my important data for now.

I think I'm willing to try and fight it...... for now at least, because it seems to be fairly stable. That is, if you have any good suggestions.

The "8-9 randomtextcharacter".exe files it created were all 59 kb as I recall, for whatever that's worth...and I shut off the machine when I sensed it doing something contrary.

I will read up on it for now.

Brian2009

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 25 February 2009 - 04:18 PM

Hello.

Let me know once you have backed up everything. Although it may be stable now. Eventually espically once we start cleaning it WON'T because many files are damaged and these may include system files it will cause some unstable results and can lead to system failure sometimes.

Let me know.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 brian2009

brian2009
  • Topic Starter

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 26 February 2009 - 12:11 PM

OK, sounds good. Will do.

I've read the articles about this one.

But once I get all the DATA and sensitive info off, I see no reason not to attempt to clean it.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 26 February 2009 - 04:36 PM

Hello.

But once I get all the DATA and sensitive info off, I see no reason not to attempt to clean it.

Cleaning this infection may not go successful and even if it does many files will be damaged probably and will cause system to be very unstable. This may then lead to system crashes and unable to boot up any longer. This is why you reinstall or format will be the best option here without causing any trouble for me or you.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 brian2009

brian2009
  • Topic Starter

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 30 April 2009 - 01:47 PM

Just for the record, and to possibly help anyone who has reason to believe they had a similar virut infection...I am happy to report that my computer was indeed fixable and seems to be running fine and has been for many weeks now.

I used the same basic clean-up strategies as most other infections, nothing out of the ordinary. I will say that the combofix cleaner really seemed to do the most 'fixing'. I should add that I used it under the guidance of an expert.

brian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users