Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virut


  • This topic is locked This topic is locked
4 replies to this topic

#1 Nibbus

Nibbus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 24 May 2009 - 02:23 AM

Hi there,

Itīs my first time here, as I never had a virus like this...

I first found it with AVG that quarantined all my exe files causing the system to present an empty working area. after that I ran a removal tool from Symantec which made nothing, and a removal tool by AVG which was efective, at least all my icons appeared and the computer is bootalbe again and hangs on without restarting.
After that I ran Malware-bytes , which grabbed a lot of things...

The issue is that some connections are being started in my "netstat -a" to jL.chura.pl in many ports... I donīt know if thatīs the virus, because if I ran an AV test it still catches hundreads of exe files infected (which werenīt supposed to be ... ) , meaning that it is still active...

Not getting any advances I come to you in a last hope of not formating my hard drive...




thanks in advance for any help you can provide, and forgive me for the english errors I hope you understood the problem



the hijack report is the following:





DDS (Ver_09-05-14.01) - NTFSx86
Run by Utilizador at 7:59:05,34 on 24-05-2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.351.2070.18.1023.390 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
svchost.exe
C:\Programas\Conceptronic\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Portrait Displays\Shared\DTSRVC.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programas\Google\Update\GoogleUpdate.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\Portrait Displays\Pivot Software\wpctrl.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programas\PowerISO\PWRISOVM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programas\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Conceptronic\Bluetooth Software\BTTray.exe
C:\Programas\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\Documents and Settings\Utilizador\Ambiente de trabalho\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.pt/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programas\ficheiros comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\programas\bitcomet\tools\BitCometBHO_1.3.3.2.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programas\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programas\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programas\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programas\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\programas\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programas\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\programas\google\google gears\internet explorer\0.5.19.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programas\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programas\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programas\google\google toolbar\GoogleToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\programas\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
EB: MBNet: {4e592651-4590-11d6-bc20-00c095eead5d} - c:\windows\system32\shdocvw.dll
uRun: [swg] c:\programas\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NLJ1] c:\documents and settings\utilizador\application data\microsoft\windows\uyenx.exe
uRun: [OM_Monitor] c:\programas\olympus\olympus master\Monitor.exe -NoStart
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Utilizador] c:\documents and settings\utilizador\Utilizador.exe /i
mRun: [Adobe Reader Speed Launcher] "c:\programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\programas\itunes\iTunesHelper.exe"
mRun: [PivotSoftware] "c:\programas\portrait displays\pivot software\wpctrl.exe"
mRun: [SunJavaUpdateSched] "c:\programas\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\programas\ficheiros comuns\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVP] "c:\programas\kaspersky lab\kaspersky internet security 7.0\avp.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [DT HPW] c:\programas\ficheiros comuns\portrait displays\shared\DT_startup.exe -HPW
mRun: [QuickTime Task] "c:\programas\quicktime\qttask.exe" -atboottime
mRun: [PWRISOVM.EXE] c:\programas\poweriso\PWRISOVM.EXE
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NVMixerTray] "c:\programas\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [CTStartup] "c:\programas\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDet] c:\programas\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTSysVol] c:\programas\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [RemoteControl] c:\programas\cyberlink\powerdvd\PDVDServ.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\arranque\bttray.lnk - c:\programas\conceptronic\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\arranque\satara~1.lnk - c:\programas\silicon image\3114 sataraid5\sam.jar
mPolicies-explorer: <NO NAME> =
IE: &T&ransferir &com BitComet - c:\programas\bitcomet\BitComet.exe/AddLink.htm
IE: &T&ransferir todos os videos com o BitComet - c:\programas\bitcomet\BitComet.exe/AddVideo.htm
IE: &T&ransferir tudo com o BitComet - c:\programas\bitcomet\BitComet.exe/AddAllLink.htm
IE: add to anti-banner - c:\programas\kaspersky lab\kaspersky internet security 7.0\ie_banner_deny.htm
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\programas\conceptronic\bluetooth software\btsendto_ie_ctx.htm
IE: {49783ED4-258D-4f9f-BE11-137C18D3E543} - c:\programas\titan poker\casino.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programas\partygaming\partypoker\RunApp.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\programas\conceptronic\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\programas\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206
IE: {E913D28B-4327-4f36-B303-D08ADF847142} - c:\documents and settings\all users\menu iniciar\programas\vegas poker 247\Vegas Poker 247.lnk
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\programas\google\google gears\internet explorer\0.5.19.0\gears.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\programas\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\programas\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {C014B140-3835-11d6-BC1D-00C095EEAD5D} - {4E592651-4590-11d6-BC20-00C095EEAD5D} - c:\windows\system32\shdocvw.dll
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4E592651-4590-11D6-BC20-00C095EEAD5D} - hxxps://www.mbnet.pt/sidebar/mbnetsidebar.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\programas\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programas\avg\avg8\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\adialhk.dll ,c:\progra~1\thunmail\testabd.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\utiliz~1\applic~1\mozilla\firefox\profiles\ches3dca.default\
FF - component: c:\documents and settings\utilizador\application data\mozilla\firefox\profiles\ches3dca.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\programas\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\programas\mozilla firefox\components\dfff.dll
FF - component: c:\programas\mozilla firefox\components\WWShow.dll
FF - plugin: c:\programas\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\programas\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\programas\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\programas\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\programas\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\programas\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-5-22 12552]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-10-31 112144]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-22 325896]
R1 avgmfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-22 27784]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-22 108552]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-28 195344]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-22 298776]
R2 AVP;Kaspersky Internet Security 7.0;c:\programas\kaspersky lab\kaspersky internet security 7.0\avp.exe [2008-2-8 227856]
R2 DhcpSrv;Dhcp server;c:\windows\dhcp\svchost.exe --> c:\windows\dhcp\svchost.exe [?]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2009-5-22 34816]
R2 Programador do LiveUpdate automático;Programador do LiveUpdate automático;c:\programas\symantec\liveupdate\AluSchedulerSvc.exe [2007-3-25 198336]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2005-10-28 10368]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S2 gupdate;Google Update Service;c:\programas\google\update\GoogleUpdate.exe [2008-7-16 133104]
S2 vvdsvc;VJVodServices;c:\windows\system32\svchost.exe -k vvdsvc [2009-5-22 34816]
S3 KCIRDA;%KCIRDA.ServiceDesc%;c:\windows\system32\drivers\KCIRNET.sys [2005-11-30 11856]
S3 sndintd;sndintd;c:\windows\system32\sndintd.sys [2004-6-6 2304]
S3 STUSB2Ir;SigmaTel USB 2.0 IrDA Bridge;c:\windows\system32\drivers\stusb2ir.sys [2005-11-7 44744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\programas\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-05-24 06:47 <DIR> --d----- c:\programas\ESET
2009-05-24 06:25 <DIR> --d----- c:\windows\dhcp
2009-05-24 06:25 8 a------- c:\windows\system32\comsa32.sys
2009-05-22 09:43 61,440 a------- c:\windows\system32\drivers\zlfntru.sys
2009-05-22 08:45 <DIR> --d----- c:\docume~1\utiliz~1\applic~1\Malwarebytes
2009-05-22 08:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-22 08:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-22 08:45 <DIR> --d----- c:\programas\Malwarebytes' Anti-Malware
2009-05-22 08:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-22 07:19 49,152 a------- C:\jar.exe
2009-05-22 05:12 2,172 ---sh--- c:\windows\system32\dirupahu.exe
2009-05-22 04:09 1,054,720 a------- c:\windows\Explorer.EXE
2009-05-22 04:09 53,760 a------- c:\windows\system32\rundll32.exe
2009-05-22 04:09 35,840 a------- c:\windows\system32\ctfmon.exe
2009-05-22 04:09 34,816 a------- c:\windows\system32\svchost.exe
2009-05-22 04:09 98,304 a------- c:\windows\SOUNDMAN.EXE
2009-05-22 04:09 94,208 a------- c:\windows\Updreg.EXE
2009-05-22 04:09 45,056 a------- c:\windows\system32\CTHELPER.EXE
2009-05-22 04:08 176,128 a------- c:\windows\system32\NeroCheck.exe
2009-05-22 04:08 70,656 a------- c:\windows\system32\notepad.exe
2009-05-22 04:08 29,184 a------- c:\windows\system32\mshta.exe
2009-05-22 04:08 150,528 a------- c:\windows\regedit.exe
2009-05-22 04:08 114,688 a------- c:\windows\system32\wscript.exe
2009-05-22 03:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-22 03:53 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-05-22 03:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-22 03:53 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-22 03:53 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-22 03:25 2,734,080 a------- C:\rmvirut.exe
2009-05-22 03:22 610 a------- C:\unHookExec.inf
2009-05-19 02:09 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-19 02:07 <DIR> --d----- c:\programas\AVG
2009-05-19 02:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-19 02:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-05-18 19:15 2,986,872 a------- C:\FixVirut.com
2009-05-18 14:49 <DIR> --d----- c:\windows\system32\%Report%
2009-05-18 14:49 <DIR> --d----- c:\windows\system32\%Quarantine%
2009-05-18 14:49 <DIR> --d----- c:\windows\system32\%Backup%
2009-05-18 14:45 <DIR> --d----- c:\windows\system32\3361
2009-05-18 14:41 0 a------- c:\windows\system32\7D.tmp
2009-05-18 14:41 70,144 a------- c:\windows\system32\7C.tmp
2009-05-18 14:41 84 a------- c:\windows\system32\79.tmp
2009-05-18 14:40 119,884 a------- c:\windows\system32\drivers\fccad22c.sys
2009-05-18 14:40 2 a------- C:\1283992430
2009-05-14 13:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-05-14 12:43 <DIR> --d----- c:\programas\ficheiros comuns\Macrovision Shared
2009-05-14 11:03 <DIR> --d----- c:\programas\ficheiros comuns\Adobe AIR
2009-05-11 05:13 <DIR> --d----- c:\programas\Webteh
2009-05-10 08:05 <DIR> --d----- c:\windows\system32\Nagasoft
2009-05-09 22:47 <DIR> --d----- c:\programas\BitComet

==================== Find3M ====================

2009-05-22 09:57 48,118,816 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-22 09:57 1,114,400 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-22 09:57 662,228 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-22 09:57 113,900 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-22 07:03 498,588 a------- c:\windows\system32\perfh016.dat
2009-05-22 07:03 92,394 a------- c:\windows\system32\perfc016.dat
2009-03-31 02:09 62,009 a------- c:\windows\system32\wpfb_ati2dvag.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-18 23:15 87,608 a------- c:\docume~1\utiliz~1\applic~1\inst.exe
2009-01-18 23:15 47,360 a------- c:\docume~1\utiliz~1\applic~1\pcouffin.sys
2007-05-13 09:19 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 7:59:27,65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 PM

Posted 24 May 2009 - 07:06 AM

Hi Nibbus,

Welcome to BC HijackThis forum. I am farbar. I'm afraid I have got bad news.

Virut is one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

Therefore the only fast and safe answer to the virus is reformatting and reinstalling windows.
You may backup non-executable (data) files and reformat the entire hard drive.

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php

#3 Nibbus

Nibbus
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 25 May 2009 - 02:18 PM

hello farbar,

thank you for the fast reply.

I am getting crazy with this issue, donīt know what else to do... guess formating is my last option... the problem is that I have personal things (files) that have some of those extensions, includind some coded pages from work that I canīt lose. Programs and other files are replaceble, but I canīt afford to lose work.
Is it possible to transfer those files, mostly rarīs and aspīs, to another hard drive and then try to clean them from there without infecting that drive too? didnīt try this cause I dont want to infect another drive!!!

best regards,

Nibbus

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 PM

Posted 25 May 2009 - 04:02 PM

I wouldn't transfer them. To minimize the risk you can keep those files in one folder on the same computer and run as many scanners as you can. Any file flagged should be gone anyway. The only aim should be a safe backup. I would transfer the safe data, like document files first. Because if the tools remove some system file and the system is not bootable any more, getting there might become a problem.

Here is another tool with big claims you can try before transferring those files: http://www.free-av.de/en/tools/12/avira_an...cue_system.html

Good luck.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 PM

Posted 29 May 2009 - 05:48 AM

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users