Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected and noticing lots of problems


  • This topic is locked This topic is locked
3 replies to this topic

#1 barryfivehundred

barryfivehundred

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 31 May 2009 - 04:29 PM

Sorry for the non descriptive topic title.
Hi, having lots of problems with my laptop. Where to start?.....first I can't enable the windows firewall, sometimes can't access the task manager, automatic and manual windows updates don't work, my wifi connection drops out every 15 minutes or so and I have to reconnect, it seems there is something in my laptop constantly accessing the internet as when I look at the router the wifi light is always flashing, I have removed all sorts of spy/malware with spybot s&d and superantispyware but it always returns an hour or so later. I've noticed programs like reader_s.exe and scvhost using up 99% of my power. This all started happening about a week ago and before that everything was good.

Basically my laptop is in a very sad way. I'll post the log and see what happens ;--) cheers



DDS (Ver_09-05-14.01) - NTFSx86
Run by baz at 22:16:07.90 on 31/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.124 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Documents and Settings\baz\reader_s.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
svchost.exe C:\WINDOWS\TEMP\VRT1D.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\baz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: MSN helper: {10c0b0c0-fc01-473b-8ebb-4376353f96e4} - becbn.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Registry Cleaner Scheduler] "c:\program files\cleanmypc\registry cleaner\RCHelper.exe" /startup
uRun: [reader_s] c:\documents and settings\baz\reader_s.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [TOSHIBA Accessibility] c:\program files\toshiba\accessibility\FnKeyHook.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [Zooming] ZoomingHook.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
StartupFolder: c:\docume~1\baz\startm~1\programs\startup\freeco~1.lnk - c:\program files\freecom personal media suite\FCPMS.exe
StartupFolder: c:\docume~1\baz\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - {6932D140-ABC4-4073-A44C-D4A541665E35}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: imageshack.us\toolbar
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\baz\applic~1\mozilla\firefox\profiles\aro83nin.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\baz\application data\mozilla\firefox\profiles\aro83nin.default\extensions\{7378b8c2-fc38-41b8-a8c9-875d1f5b0a24}\components\NativeComponent.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPOJI610.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-5-31 18944]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2006-6-6 11776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2005-1-13 12032]
S1 53245794;53245794;c:\windows\system32\drivers\53245794.sys [2009-5-23 0]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2005-5-20 34816]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-12-20 42512]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

=============== Created Last 30 ================

2009-05-31 22:08 136,160 a------- c:\windows\system32\drivers\ethguehb.sys
2009-05-31 22:08 58,880 a------- c:\windows\system32\3E.tmp
2009-05-31 22:07 154,624 a------- c:\windows\system32\3D.tmp
2009-05-31 22:07 40,449 a------- c:\windows\system32\3B.tmp
2009-05-31 22:07 124 a------- c:\windows\system32\39.tmp
2009-05-31 19:32 45 a------- c:\windows\system32\ca.dat
2009-05-31 19:15 58,880 a------- c:\windows\system32\B2.tmp
2009-05-31 19:15 84 a------- c:\windows\system32\B0.tmp
2009-05-31 18:39 58,880 a------- c:\windows\system32\3A.tmp
2009-05-31 18:39 84 a------- c:\windows\system32\36.tmp
2009-05-31 18:19 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-05-31 18:19 60,929 a------- c:\documents and settings\baz\reader_s.exe
2009-05-31 18:19 60,929 a------- c:\windows\system32\reader_s.exe
2009-05-31 18:19 58,880 a------- c:\windows\system32\19.tmp
2009-05-31 18:19 84 a------- c:\windows\system32\17.tmp
2009-05-31 17:14 1 a------- c:\windows\system32\q1.dat
2009-05-31 17:14 1 a------- c:\windows\system32\idm.dat
2009-05-31 17:14 1 a------- c:\windows\system32\ck.dat
2009-05-31 17:14 1 a------- c:\windows\system32\c2d.dat
2009-05-31 16:56 40 a------- c:\windows\system32\C.tmp
2009-05-31 16:29 40 a------- c:\windows\system32\15.tmp
2009-05-31 13:39 40 a------- c:\windows\system32\4D.tmp
2009-05-31 13:25 40 a------- c:\windows\system32\48.tmp
2009-05-31 13:14 40 a------- c:\windows\system32\41.tmp
2009-05-31 09:41 40 a------- c:\windows\system32\B.tmp
2009-05-31 09:04 40 a------- c:\windows\system32\46.tmp
2009-05-30 22:40 40 a------- c:\windows\system32\14.tmp
2009-05-30 22:14 40 a------- c:\windows\system32\4F.tmp
2009-05-30 19:07 40 a------- c:\windows\system32\32.tmp
2009-05-30 15:59 40 a------- c:\windows\system32\6C.tmp
2009-05-30 15:15 40 a------- c:\windows\system32\69.tmp
2009-05-30 08:55 40 a------- c:\windows\system32\55.tmp
2009-05-30 08:51 40 a------- c:\windows\system32\50.tmp
2009-05-29 22:55 40 a------- c:\windows\system32\38.tmp
2009-05-29 22:08 40 a------- c:\windows\system32\2E.tmp
2009-05-29 19:22 40 a------- c:\windows\system32\47.tmp
2009-05-29 18:32 40 a------- c:\windows\system32\1D.tmp
2009-05-29 15:30 40 a------- c:\windows\system32\45.tmp
2009-05-29 12:41 40 a------- c:\windows\system32\29.tmp
2009-05-28 23:33 40 a------- c:\windows\system32\3C.tmp
2009-05-28 17:03 40 a------- c:\windows\system32\30.tmp
2009-05-27 22:39 40 a------- c:\windows\system32\27.tmp
2009-05-27 22:17 42,496 a------- c:\windows\system32\becbn.dll
2009-05-27 18:21 42,496 a------- c:\windows\system32\bekbn.dll
2009-05-27 18:19 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-05-27 17:59 0 a------- c:\windows\system32\13.tmp
2009-05-27 17:59 40 a------- c:\windows\system32\12.tmp
2009-05-27 17:48 0 a------- c:\windows\system32\34.tmp
2009-05-27 17:07 0 a------- c:\windows\system32\2A.tmp
2009-05-27 16:48 40 a------- c:\windows\system32\23.tmp
2009-05-27 15:22 0 a------- c:\windows\system32\164.tmp
2009-05-27 15:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-27 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-27 15:10 0 a------- c:\windows\system32\15F.tmp
2009-05-27 09:30 0 a------- c:\windows\system32\14D.tmp
2009-05-27 09:28 0 a------- c:\windows\system32\145.tmp
2009-05-26 23:21 40 a------- c:\windows\system32\31.tmp
2009-05-26 22:48 40 a------- c:\windows\system32\28.tmp
2009-05-26 22:12 70,144 a------- c:\windows\system32\inform.dat
2009-05-26 22:12 16,164 a------- c:\windows\system32\fkas
2009-05-26 22:12 40 a------- c:\windows\system32\22.tmp
2009-05-26 19:23 61,440 a------- c:\windows\system32\drivers\wdkd.sys
2009-05-26 19:14 1 a------- c:\windows\system32\4E.tmp
2009-05-26 19:14 84 a------- c:\windows\system32\4C.tmp
2009-05-26 18:28 1 a------- c:\windows\system32\2F.tmp
2009-05-26 18:28 69,120 a------- c:\windows\system32\2D.tmp
2009-05-26 18:28 1 a------- c:\windows\system32\2C.tmp
2009-05-26 18:16 1 a------- c:\windows\system32\25.tmp
2009-05-26 18:16 84 a------- c:\windows\system32\24.tmp
2009-05-26 18:15 23,040 a--sh--- c:\windows\system32\9Ct.dll
2009-05-26 14:02 572 a--s---- c:\windows\system32\3372735059.dat
2009-05-26 14:02 58,880 a------- c:\windows\system32\21.tmp
2009-05-26 14:02 38,400 a------- c:\windows\system32\20.tmp
2009-05-26 14:02 12,597 a------- c:\windows\system32\1F.tmp
2009-05-26 14:01 176 a------- c:\windows\system32\1C.tmp
2009-05-25 23:04 <DIR> --d----- c:\documents and settings\baz\Pavark
2009-05-25 22:27 58,880 a------- c:\windows\system32\1E.tmp
2009-05-25 22:27 120 a------- c:\windows\system32\1B.tmp
2009-05-25 22:24 61,440 a------- c:\windows\system32\drivers\jfzhtow.sys
2009-05-25 22:12 58,880 a------- c:\windows\system32\A4.tmp
2009-05-25 22:12 58,880 a------- c:\windows\system32\A3.tmp
2009-05-25 22:12 120 a------- c:\windows\system32\A0.tmp
2009-05-25 22:12 120 a------- c:\windows\system32\9C.tmp
2009-05-25 09:31 95,029 a------- C:\MGlogs.zip
2009-05-25 09:31 <DIR> --d----- C:\MGtools
2009-05-25 09:01 <DIR> --d----- c:\docume~1\baz\applic~1\Malwarebytes
2009-05-25 09:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 09:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 09:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-25 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-24 23:42 <DIR> --d----- c:\windows\system32\3361
2009-05-24 23:42 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-05-24 23:42 <DIR> --d----- c:\windows\dhcp
2009-05-24 23:42 178,688 a------- c:\windows\system32\tpsaxyd.exe
2009-05-24 23:42 <DIR> --dshr-- c:\program files\ThunMail
2009-05-24 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-24 22:14 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-24 22:14 <DIR> --d----- c:\docume~1\baz\applic~1\SUPERAntiSpyware.com
2009-05-24 22:13 120 a------- c:\windows\system32\37.tmp
2009-05-24 20:03 1,341,441 a------- C:\MGtools.exe
2009-05-24 19:16 120 a------- c:\windows\system32\11.tmp
2009-05-23 22:23 120 a------- c:\windows\system32\2B.tmp
2009-05-23 22:23 120 a------- c:\windows\system32\26.tmp
2009-05-23 19:25 <DIR> --d----- c:\windows\system32\121973
2009-05-23 19:24 0 a------- c:\windows\system32\drivers\53245794.sys
2009-05-23 19:20 <DIR> --d----- C:\Games
2009-05-23 19:08 120 a------- c:\windows\system32\4B.tmp
2009-05-23 19:08 120 a------- c:\windows\system32\49.tmp
2009-05-23 19:06 120 a------- c:\windows\system32\40.tmp
2009-05-23 19:06 120 a------- c:\windows\system32\3F.tmp
2009-05-23 19:02 44,032 a------- c:\windows\system32\35.tmp
2009-05-23 19:02 120 a------- c:\windows\system32\33.tmp
2009-05-23 18:55 <DIR> --d----- c:\program files\PrevxCSI
2009-05-23 17:26 <DIR> --d-h--- c:\documents and settings\baz\Recent(2)
2009-05-23 16:59 <DIR> --d----- c:\windows\pss
2009-05-23 16:10 <DIR> --d----- c:\program files\RegVac Registry Cleaner
2009-05-23 16:06 <DIR> --d----- c:\program files\CleanMyPC
2009-05-23 13:46 <DIR> --d----- c:\program files\Trend Micro
2009-05-23 13:05 <DIR> --d----- c:\program files\CCleaner
2009-05-22 23:13 <DIR> --d----- c:\program files\Prevx
2009-05-22 22:27 <DIR> --d----- c:\program files\RogueRemover FREE

==================== Find3M ====================

2009-05-27 09:29 77,155 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-01 13:59 93,692 a------- c:\windows\system32\drivers\8bd26015.sys
2009-05-01 13:23 182,912 ac------ c:\windows\system32\drivers\ndis.sys
2009-05-01 13:19 34,816 a------- c:\windows\system32\svchost.exe
2006-06-22 23:03 604 ac--h--- c:\program files\STLL Notifier
2003-12-02 00:12 7,168 ac------ c:\program files\vdremote.dll
2003-12-02 00:12 6,656 ac------ c:\program files\vdicmdrv.dll
2003-12-02 00:12 39,936 ac------ c:\program files\auxsetup.exe
2003-12-02 00:11 5,120 ac------ c:\program files\vdsvrlnk.dll
2003-12-02 00:11 74,186 ac------ c:\program files\VirtualDub.vdhelp
2003-12-02 00:11 79,486 ac------ c:\program files\VirtualDub.vdi
2003-12-02 00:11 580,608 a------- c:\program files\VirtualDub.exe
2003-10-01 18:31 18,321 ac------ c:\program files\copying
2006-05-03 10:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 -c-shr-- c:\windows\system32\msfDX.dll

============= FINISH: 22:16:51.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:52 PM

Posted 31 May 2009 - 04:44 PM

Hi barryfivehundred,

Welcome to BC HijackThis forum. I am farbar. I'm afraid I have got bad news.

Your computer is infected with one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

The only fast and safe answer to the virus is reformatting and reinstalling windows.
You may backup non-executable (data) files and reformat the entire hard drive.

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php

#3 barryfivehundred

barryfivehundred
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 31 May 2009 - 04:52 PM

Hi barryfivehundred,

Welcome to BC HijackThis forum. I am farbar. I'm afraid I have got bad news.

Your computer is infected with one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

The only fast and safe answer to the virus is reformatting and reinstalling windows.
You may backup non-executable (data) files and reformat the entire hard drive.

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php


Ouch! This sounds nasty indeed. Well thanks for the quick reply farbar.
I guess a reinstall is the only option then. Bit difficult as I don't own an XP disc and the dvd disc drive stopped working a long time ago but sure there's a way around this.
Again, thanks for the help :thumbup2:

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,722 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:52 PM

Posted 31 May 2009 - 05:11 PM

You are welcome. I wish there was a better way to fight this nasty virus. But I would have wasted your time and at the end you would have come to the same decision as this system never going to be safe and fully functional without a clean reformat of all drives.

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users