Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virut Infection

  • Please log in to reply
No replies to this topic

#1 Lyceaum


  • Members
  • 1 posts
  • Local time:04:56 PM

Posted 11 September 2009 - 12:36 PM

I know I have a virus, and after a little research on it, I believe its a Virut infection. Ive tried bought everything I know of to get rid of it, but so far im coming up short. Tried avenger, highjack, malware bytes, rootrepeal, also tried to scan it with gmer and dds. it simply eats them up as fast as I can download them, infecting and killing them. After some research I discovered that this virus latchs onto any and all exe, and executable files it discovers. So I tried to wipe the drive, and reinstall xp period, removing only media, and image files before i did it. Well it worked for a second, but very soon it was back and I havent a clue how it crossed over. So I did it again making absolutely sure to take nothing that has either been in contact with the infection, or could realistically be infected. All I got was the same results. I do believe I have kept one step ahead of it though, the first time it came, it locked out literally everything, including control panel and anything that could possibly affect it. But I did however manage to get the hidden files in view the last time, and I found two strange things right off the bat. One was a very weird folder in C: called 32788R22FWJFW in which were stored a bunch of files, I take it it was the base it was operating out of. And this text ironically called Bug.txt (I would attach it, but since it might be infected ill just post the contents. Also im running WINXP Service Pack 3 for your info.

PUSHD "C:\32788R22FWJFW"

SET "Comspec=C:\WINDOWS\system32\cmd.execf"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac

IF 0 == 0 GOTO NT

SET "Ver_CF=09-09-07.05"

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
1 file(s) copied.

PEV UZIP License\pv_5_2_2.zip .\

MOVE /Y PV.exe PV.cfxxe

IF NOT EXIST PEV.cfxxe COPY /Y PEV.exe PEV.cfxxe
1 file(s) copied.

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SED "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV -rtf -s+901 .\OriPath00 && (
SED -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
Active code page: 1252
Could Not Find C:\32788R22FWJFW\AbortB

Could Not Find C:\32788R22FWJFW\md5sum00.pif

PEV -rtf -md54C31434B834B14D226AEA1A0A5C172C4 .\md5sum.pif || CALL :MDFaiL ChkSum_Fail

PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat

GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat

Now I aint a professional, but I do believe this virus keeps a record of itself, wholly confident that this cant be seen.

Well I appreciate any help yall can give, thanks.

Oh yeah I forgot I did get maleware bytes to run once and only once. heres what it found.

Malwarebytes' Anti-Malware 1.41
Database version: 2777
Windows 5.1.2600 Service Pack 3

9/11/2009 7:41:10 AM
mbam-log-2009-09-11 (07-41-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 29838
Time elapsed: 8 minute(s), 20 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\sv3.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\svchost.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netlogin (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogin (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sv3.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\7HTEPIDK\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\AX7IDLGI\w[1].bin (Backdoor.Bot) -> Delete on reboot.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by Lyceaum, 11 September 2009 - 06:55 PM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users