Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with virtu (i think)


  • This topic is locked This topic is locked
3 replies to this topic

#1 SoulZaeb

SoulZaeb

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 14 May 2009 - 12:21 PM

i tried installing camfrog pro activation codes that i downloaded somewhere then i think it failed to work. anyway, i tried opening camfrog again but this time it wont open. after a few minutes of using my computer it suddenly crash, it reboot on its own and when it came back on, i was in my desktop except that i cant see anymore icons.i had a friend tell me to try and use combofix but after downloading and running it the error popped up saying that is is infected with virut (enclosed is a screenshot of the error) pls help me thanks a lot..


DDS (Ver_09-05-14.01) - NTFSx86
Run by MiggY18 at 1:14:05.39 on Fri 05/15/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1011 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\MiggY18\reader_s.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\MiggY18\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.4.29.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [reader_s] c:\documents and settings\miggy18\reader_s.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VMonitorVMUVC] "c:\program files\vimicro corporation\vmuvc\VMonitor.exe" VMUVC
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRun: [RegistryMechanic]
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [reader_s] c:\documents and settings\miggy18\reader_s.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {F5CC8637-F8EC-494E-B2CE-777BC2B100AB} = 58.69.254.8,58.69.254.15
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\miggy18\applic~1\mozilla\firefox\profiles\54l0c7yt.default\
FF - component: c:\documents and settings\miggy18\application data\idm\idmmzcc2\components\idmmzcc.dll

============= SERVICES / DRIVERS ===============

R2 DhcpSrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-5-14 260096]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 195072]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2009-2-25 247552]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2009-2-25 476032]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-05-15 00:40 136,224 a------- c:\windows\system32\drivers\ethrfhjo.sys
2009-05-15 00:40 152,064 a------- c:\windows\system32\A.tmp
2009-05-15 00:40 84 a------- c:\windows\system32\8.tmp
2009-05-14 21:20 0 a------- c:\windows\system32\7.tmp
2009-05-14 21:20 0 a------- c:\windows\system32\6.tmp
2009-05-14 21:20 84 a------- c:\windows\system32\5.tmp
2009-05-14 21:15 0 a------- c:\windows\system32\3.tmp
2009-05-14 21:12 0 a------- c:\windows\system32\4.tmp
2009-05-14 21:11 84 a------- c:\windows\system32\2.tmp
2009-05-14 21:07 153,088 a------- c:\windows\system32\E1.tmp
2009-05-14 21:07 61,441 a------- c:\windows\system32\reader_s.exe
2009-05-14 21:07 61,441 a------- c:\documents and settings\miggy18\reader_s.exe
2009-05-14 21:05 84 a------- c:\windows\system32\DE.tmp
2009-05-14 16:12 <DIR> --d----- c:\program files\Camfrog
2009-05-14 14:41 <DIR> --d----- c:\windows\system32\3361
2009-05-14 14:41 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-05-14 14:41 <DIR> --d----- c:\windows\dhcp
2009-05-14 14:41 231,936 a------- c:\windows\system32\w.exe
2009-05-14 14:41 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-05-14 14:41 8 a------- c:\windows\system32\comsa32.sys
2009-05-14 14:41 <DIR> --dshr-- c:\program files\ThunMail
2009-05-14 13:08 <DIR> --d----- c:\docume~1\miggy18\applic~1\Camfrog
2009-05-04 11:38 <DIR> --d----- c:\program files\Ventrilo
2009-05-04 11:37 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-05-04 11:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-03 12:17 <DIR> --d----- c:\program files\SopCast
2009-05-02 23:09 <DIR> --d----- C:\logs
2009-05-02 23:09 <DIR> --d----- c:\documents and settings\miggy18\ChikkaDefault
2009-05-02 23:09 <DIR> --d----- c:\program files\Chikka Messenger
2009-04-21 21:50 <DIR> --d----- C:\Downloads
2009-04-21 21:49 <DIR> --d----- c:\program files\BitComet

==================== Find3M ====================

2009-05-14 21:07 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-21 21:50 2,560 a------- c:\windows\system32\BitCometRes.dll
2009-03-29 13:35 81,349 a------- c:\windows\War3Unin.dat
2009-03-29 13:25 159,744 a------- c:\windows\War3Unin.exe
2009-03-29 13:25 2,829 a------- c:\windows\War3Unin.pif
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-24 23:04 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-24 22:54 507,904 a------- c:\windows\system32\winlogon.exe
2009-02-24 22:45 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 1:14:15.90 ===============

Attached Files


Edited by SoulZaeb, 14 May 2009 - 12:51 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 14 May 2009 - 01:10 PM

Hi SoulZaeb,

Welcome to BC HijackThis forum. I am farbar.

I'm afraid I've got bad news.

Your system is indeed infected with one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.

http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

There is a claim by Grisoft that the following tool can remove the infection:

http://www.softpedia.com/get/Antivirus/Win...t-Remover.shtml

This claim is hard to believe. Not only almost all the running processes are infected but also their copy in i386 folder and in the dll cache are patched.

Therefore the only fast and safe answer to the virus is reformatting and reinstalling windows. You may backup non-executable (data) files and reformat the entire hard drive.

#3 SoulZaeb

SoulZaeb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 14 May 2009 - 01:29 PM

hey farbar thank you very much for a quick and honest reply.. i kept my fingers crossed and still tried using the antivirus that u posted.. however if all else fails i would sure be reformatting and reinstalling everything again.. again thank you for your time and more power ^ ^ :thumbup2:

btw this is the log from the virus remover (attachment)

do u think i should still reformat?

Edited by SoulZaeb, 14 May 2009 - 01:42 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:46 AM

Posted 14 May 2009 - 01:45 PM

You are very welcome SoulZaeband, I wish I could assist you more, but I know it is a lost cause.

This thread will now be closed.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users