Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32.virut.cf remove failed


  • This topic is locked This topic is locked
4 replies to this topic

#1 jkkimkj

jkkimkj

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 21 June 2009 - 09:25 PM

Norton Internet Security keeps detecting multiple incidents of the win32.virut.cf and I dled the tool from the Norton site that is supposed to rid my computer of this virus from http://securityresponse.symantec.com/secur...-020411-2802-99
I ran it many times but it has not solved the problem as this notice keeps coming up. I should mention this computer is a netbook I purchased overseas (Samsung NC10) and I don't know if that's why but it won't allow me to install some softwares (I get error messages). It never bothered me before but it won't let me install hijackthis, which could be a problem in this situation. It also won't let me install OTListIt or Malwarebytes. In a desperate attempt after reading some posts about this virus, I ran combofix without realizing it could present more problems. I would appreciate help with getting rid of this pesky virus and maybe some suggestions about why my computer won't let me install certain things. Oh, and this virus came about after I tried to fix my brother's horribly infected computer by dling things on my computer and using a flashdrive to transfer and install onto my bro's comp. Maybe my flashdrive got infected?

This is my DDS log


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Jenn at 18:55:17.81 on Sun 06/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1042.18.1014.578 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50winampab&query=d
uInternet Connection Wizard,ShellNext = hxxp://www.gmail.com/
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Reader ?? ???: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] ctfmon.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Bluetooth ??? ???(&:thumbup2:... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jenn\applic~1\mozilla\firefox\profiles\mqt8j5kt.default\
FF - prefs.js: browser.startup.homepage - file:///C:/WINDOWS/Web/Start/index.htm
FF - plugin: c:\documents and settings\jenn\application data\mozilla\firefox\profiles\mqt8j5kt.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-22 310320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1003344]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-22 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-22 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090618.002\IDSXpx86.sys [2009-6-19 276344]
S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-10-27 4300]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\mcshield.exe --> c:\program files\mcafee\virusscan\McShield.exe [?]
S2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-22 115560]
S2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2006-10-29 38012]
S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090620.025\NAVENG.SYS [2009-6-20 89104]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090620.025\NAVEX15.SYS [2009-6-20 876144]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-10-27 238464]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]

=============== Created Last 30 ================

2009-06-21 18:45 <DIR> --d----- C:\Rooter$
2009-06-20 00:55 <DIR> --ds---- C:\ComboFix
2009-06-19 21:45 <DIR> a-dshr-- C:\cmdcons
2009-06-19 21:38 161,792 a------- c:\windows\SWREG.exe
2009-06-19 21:38 155,136 a------- c:\windows\PEV.exe
2009-06-19 21:38 98,816 a------- c:\windows\sed.exe
2009-06-02 01:36 754 a------- c:\windows\WORDPAD.INI
2009-05-29 22:32 <DIR> --d----- c:\program files\PrinterShare

==================== Find3M ====================

2009-06-20 01:53 166,314 a------- c:\windows\system32\perfh012.dat
2009-06-20 01:53 39,876 a------- c:\windows\system32\perfc012.dat
2009-06-19 17:22 2,166,784 a------- c:\windows\MicCal.exe
2009-06-19 17:22 2,810,880 a------- c:\windows\ALCWZRD.EXE
2009-06-19 17:19 9,716,736 a------- c:\windows\RTLCPL.EXE
2009-06-19 17:18 25,600 a------- c:\windows\twunk_32.exe
2009-06-19 17:06 319,488 a------- c:\windows\HideWin.exe
2009-06-19 17:06 275,456 a------- c:\windows\winhlp32.exe
2009-06-19 17:04 11,776 a------- c:\windows\system32\chkdsk.exe
2009-06-19 17:03 76,800 a------- c:\windows\system32\nslookup.exe
2009-06-19 17:02 4,608 a------- c:\windows\system32\dllhst3g.exe
2009-06-19 16:48 23,040 a------- c:\windows\system32\diskperf.exe
2009-06-19 16:48 181,760 a------- c:\windows\system32\diskpart.exe
2009-06-19 16:48 87,040 a------- c:\windows\system32\diantz.exe
2009-06-19 16:48 28,672 a------- c:\windows\system32\ddeshare.exe
2009-06-19 16:48 6,144 a------- c:\windows\system32\dcomcnfg.exe
2009-06-19 16:48 5,120 a------- c:\windows\system32\bootvrfy.exe
2009-06-19 16:48 4,608 a------- c:\windows\system32\bootok.exe
2009-06-19 16:48 71,680 a------- c:\windows\system32\blastcln.exe
2009-06-19 16:46 96,256 a------- c:\windows\system32\netsh.exe
2009-06-19 16:45 18,432 a------- c:\windows\pchealth\helpctr\binaries\HscUpd.exe
2009-06-19 16:45 99,840 a------- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2009-06-19 16:45 35,328 a------- c:\windows\pchealth\helpctr\binaries\notiflag.exe
2009-06-19 16:45 67,584 a------- c:\windows\NOTEPAD.EXE
2009-06-19 12:27 180,224 a------- c:\windows\system32\dwwin.exe
2009-06-19 12:27 10,752 a------- c:\windows\system32\dumprep.exe
2009-06-19 10:15 1,200,128 a------- c:\windows\RtlUpd.exe
2009-06-19 10:14 744,448 a------- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2009-06-19 10:14 67,584 a------- c:\windows\system32\notepad.exe
2009-06-19 10:14 32,768 a------- c:\windows\system32\defrag.exe
2009-06-19 10:03 307,200 a------- c:\windows\SetDisplayResolution.exe
2009-06-19 10:02 24,576 a------- c:\windows\system32\drivers\Marker.exe
2009-06-19 09:52 57,344 a------- c:\windows\ALCMTR.EXE
2009-06-19 09:51 32,768 a------- c:\windows\system32\rundll32.exe
2009-06-19 09:49 196,608 a------- c:\windows\system32\wbem\wmiadap.exe
2009-06-19 09:49 346,624 a------- c:\windows\system32\tourstart.exe
2009-06-19 09:49 537,600 a------- c:\windows\system32\spider.exe
2009-06-19 09:49 19,456 a------- c:\windows\system32\ssbezier.scr
2009-06-19 09:49 30,208 a------- c:\windows\system32\sethc.exe
2009-06-19 09:49 429,568 a------- c:\windows\system32\ntvdm.exe
2009-06-19 09:49 1,413,120 a------- c:\windows\system32\mmc.exe
2009-06-19 09:49 15,872 a------- c:\windows\system32\dmremote.exe
2009-06-19 09:46 1,053,184 a------- c:\windows\explorer.exe
2009-06-19 09:40 249,344 a------- c:\windows\system32\wbem\wmiprvse.exe
2009-06-18 14:24 45,056 a------- c:\windows\system32\shmgrate.exe
2009-05-29 16:11 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-07 08:32 342,528 a------- c:\windows\system32\localspl.dll
2009-04-28 21:42 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:42 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-25 14:41 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-19 12:47 1,846,784 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 18:55:38.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 PM

Posted 22 June 2009 - 12:20 AM

Hi,

Welcome to BC HijackThis forum. I am farbar. I'm afraid I have got bad news.

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

The only fast and safe answer to the virus is reformatting and reinstalling windows.
You may backup non-executable (data) files and reformat the entire hard drive.

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php

#3 jkkimkj

jkkimkj
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 22 June 2009 - 12:40 AM

Thanks so much. At least I now know what has to be done. I've been using my computer in safe mode with networking since the virus was discovered. Is this considered safe or should I be restoring it asap?
Since it's a netbook there's no disc drive so I can't stick in the CD to restore it. Do I need to get a hold of an external disc drive or is there a simple alternative method to restoring?

Oh, and I was wondering how I got this virus. Could it have been transferred from an infected flashdrive? And if so, is there a way I can clean my flashdrive?

Edited by jkkimkj, 22 June 2009 - 12:43 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 PM

Posted 22 June 2009 - 01:11 AM

You are welcome, I wish I could have been able of giving more help.

Perhaps an external or USB disc drive is the solution. You can also Google it or open a topic at:

http://www.bleepingcomputer.com/forums/f/7/internal-hardware/
Or
Windows XP Home and Professional

To be on the safe side with this nasty virus you can backup the data on the flash drives and reformat them.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 PM

Posted 27 June 2009 - 07:35 PM

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users