Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Reader_s.exe, servises.exe and other malware

  • This topic is locked This topic is locked
6 replies to this topic

#1 Chubby


  • Members
  • 9 posts
  • Local time:03:32 PM

Posted 03 October 2009 - 03:13 PM

I'm afraid I'm infected with malware which are smarter than me.

The symptoms (that I've discovered) is the reader_s.exe and servises.exe, which runs as processes and are located in the system32 folder. Furthermore there seems to be some fake svchost processes which keep popping up and something is generating .tmp files with random numbers in the system32 folder (like 3.tmp) and these get added as processes too.

There's also a 1.ico, 2.ico and 3.ico files generated in %userdir%\local settings\temp and sometimes .exe files with random numbers in front of them is generated here too and added as processes. I've noticed net activity on the fake (I presume) svchost processes and I'm also sometimes having problems when browsing the web (can't access microsoft.com and kaspersky.com for example). I get some error messages stating (don't know if it's related though):

DCHP 1002:
Lease on the IP address for the Network Card with network address 000C76C3433B was denied by the DHCP server (The DHCP server sent a DHCPNACK message).

I've also got quite a lot crypt32 error messages in my program log with id 8: Automatic update retrieval of sequence number thirdpartyrootlist failed with the error from <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> This network connection does not exist.

Whenever I try removing any or all of this (with spybot, adware or/and avg or manually during safemode deleting manually and using regedit) it keeps coming back and I really got no idea what to do now. (I've also tried searching the net for solutions including this side, but without luck).

UPDATE: I've just tried downloading combofix and get an error when loading it stating that combofix have been corrupted and I might have an virus (virut).

You got my gratitude in advance if you can help me fix this.

My DDS log is pasted below as instructed:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Jacob Larsen at 21:38:17,59 on 03-10-2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.45.1030.18.2047.1280 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Programmer\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Programmer\Fælles filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programmer\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Programmer\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Programmer\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programmer\Logitech\GamePanel Software\G-series Software\LGDCore.exe
svchost.exe C:\WINDOWS\TEMP\VRT28.tmp
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jacob Larsen.JACOB\Dokumenter\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.ofir.dk/
uWindow Title = Underdog
mStart Page = about:blank
mWinlogon: UIHost=c:\windows\system32\logonui.exe
mWinlogon: Taskman=c:\recycler\s-1-5-21-3755257744-6992139667-331393164-7004\wnzip32.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmer\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmer\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Opslag: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [12CFG214-K641-12SF-N85P] c:\recycler\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
mRun: [7931] c:\windows\system32\2B.tmp.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [servises] c:\windows\system32\servises.exe
dRun: [reader_s] c:\documents and settings\jacob larsen.jacob\reader_s.exe
dRun: [servises] c:\windows\system32\servises.exe
mExplorerRun: [servises] c:\windows\system32\servises.exe
dExplorerRun: [servises] c:\windows\system32\servises.exe
StartupFolder: c:\docume~1\jacobl~1.jac\menuen~1\progra~1\start\LOGITE~1.LNK -
StartupFolder: c:\docume~1\alluse~1.win\menuen~1\progra~1\start\logite~1.lnk - c:\programmer\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1.win\menuen~1\progra~1\start\pidgin.lnk - c:\programmer\pidgin\pidgin.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247609091750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\programmer\fælles filer\logitech\bluetooth\LBTWlgn.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacobl~1.jac\applic~1\mozilla\firefox\profiles\sgs1eshr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.dk/reader/view/#stream/user%2F10333187266840672368%2Fstate%2Fcom.google%2Freading-list
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmer\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

c:\programmer\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-26 64160]
R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-2 119552]
R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-9-27 5504]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmer\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 WinDefend;Windows Defender;c:\programmer\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2004-10-2 13440]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;c:\windows\system32\drivers\PhTVTune.sys [2004-10-2 24704]
R3 wbscr;Winbond Smartcard Reader for I/O;c:\windows\system32\drivers\wbscr.sys [2004-10-2 19928]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-10-2 23096]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-3-21 13352]
S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-11-7 9344]
S3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\drivers\ladfDHP2i386.sys [2009-8-17 53520]
S3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\drivers\ladfSBVMi386.sys [2009-8-17 334992]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 PRISM_A00;PRISM 802.11g Driver;c:\windows\system32\drivers\PRISMA00.sys [2004-10-2 380736]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2007-7-28 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2007-7-28 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2007-7-28 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-7-28 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-7-28 98568]
S3 UKBFLT;UKBFLT;c:\windows\system32\drivers\UKBFLT.sys [2004-10-2 11672]

=============== Created Last 30 ================

2009-10-03 21:23 38,400 a------- c:\windows\system32\servises.exe
2009-10-03 21:23 38,912 a------- c:\windows\system32\2C.tmp
2009-10-03 21:23 38,400 a------- c:\windows\system32\2A.tmp
2009-10-03 21:23 18,944 a------- c:\windows\system32\2B.tmp
2009-10-03 21:20 132 a------- c:\windows\system32\29.tmp
2009-10-03 16:41 32 a--s---- c:\windows\system32\4099067677.dat
2009-10-03 13:42 <DIR> --d----- c:\docume~1\jacobl~1.jac\applic~1\FreeFixer
2009-10-03 13:41 <DIR> --d----- c:\programmer\FreeFixer
2009-10-03 01:19 <DIR> --d----- c:\programmer\AnalogWhole
2009-10-02 21:02 2,944 a------- c:\windows\system32\drivers\null.sys
2009-10-02 21:02 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-10-02 21:02 6 a------- c:\windows\system32\_id.dat
2009-10-02 21:00 0 a------- c:\windows\SC.INS
2009-10-02 21:00 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-02 20:22 23,096 a------- c:\windows\system32\drivers\DrmRAudio.sys
2009-10-02 19:09 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-27 13:54 61,440 a----r-- c:\windows\system32\vuins32.dll
2009-09-27 13:54 43,008 a----r-- c:\windows\system32\drivers\fetnd5bv.sys
2009-09-27 13:54 <DIR> --d----- c:\windows\vnDrvBas
2009-09-24 21:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-09-24 21:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-24 21:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-09-24 21:33 301,656 a------- c:\windows\system32\BtCoreIf.dll
2009-09-24 21:33 170,512 a------- c:\windows\system32\kemutb.dll
2009-09-24 21:33 145,936 a------- c:\windows\system32\KemUtil.dll
2009-09-24 21:33 117,264 a------- c:\windows\system32\KemWnd.dll
2009-09-24 21:33 84,496 a------- c:\windows\system32\KemXML.dll
2009-09-24 21:32 <DIR> --d----- c:\programmer\fælles filer\Logishrd
2009-09-24 21:22 107,596 a------- C:\toolkit_widget.gif
2009-09-24 21:13 <DIR> --d----- c:\programmer\PCPitstop
2009-09-24 21:13 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\PCPitstop
2009-09-24 15:01 <DIR> --d----- c:\programmer\fælles filer\DivX Shared
2009-09-23 16:28 <DIR> --d----- c:\programmer\Debugging Tools for Windows (x86)
2009-09-15 07:57 8,832 ac------ c:\windows\system32\dllcache\wmiacpi.sys
2009-09-15 07:56 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-09-15 07:55 12,288 a------- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-09-15 07:54 26,112 ac------ c:\windows\system32\dllcache\romanime.ime
2009-09-15 07:53 2,068,608 ac------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-15 07:52 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2009-09-15 07:51 90,200 ac------ c:\windows\system32\dllcache\io8ports.dll
2009-09-15 07:50 8,576 ac------ c:\windows\system32\dllcache\hidgame.sys
2009-09-15 07:49 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-09-15 07:48 500,736 ac------ c:\windows\system32\dllcache\cintsetp.exe
2009-09-15 07:47 12,800 ac------ c:\windows\system32\dllcache\brevif.dll
2009-09-15 07:45 101,888 ac------ c:\windows\system32\dllcache\adpu160m.sys
2009-09-15 07:22 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-14 22:55 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-14 22:55 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-14 22:55 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-14 22:55 <DIR> --d----- c:\programmer\AVG
2009-09-14 22:55 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\avg8
2009-09-14 22:52 <DIR> --d----- c:\docume~1\jacobl~1.jac\applic~1\AVG8
2009-09-13 20:38 <DIR> --d----- c:\programmer\Process Explorer
2009-09-13 12:54 11,952 -------- c:\windows\system32\avgrsstx.dll.install_backup
2009-09-13 11:56 1,486,945 ----h--- C:\treeinfo.wc
2009-09-13 11:46 120 a------- c:\windows\d.ini

==================== Find3M ====================

2009-10-02 21:02 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-10-02 21:00 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-09-13 23:30 15,688 a------- c:\windows\system32\lsdelete.exe
2009-09-13 23:29 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-12 23:10 526,066 a------- c:\windows\system32\perfh006.dat
2009-09-12 23:10 106,052 a------- c:\windows\system32\perfc006.dat
2009-08-25 20:44 83,706 a------- c:\windows\War3Unin.dat
2009-08-05 11:00 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-21 17:55 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-07-21 17:54 325,120 a------- c:\windows\system32\ati2dvag.dll
2009-07-21 17:44 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-07-21 17:44 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-07-21 17:43 46,592 a------- c:\windows\system32\Ati2mdxx.exe
2009-07-21 17:43 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-07-21 17:43 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-07-21 17:42 622,592 a------- c:\windows\system32\ati2evxx.exe
2009-07-21 17:40 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-07-21 17:35 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-07-21 17:32 11,845,632 a------- c:\windows\system32\atioglxx.dll
2009-07-21 17:32 3,818,272 a------- c:\windows\system32\ati3duag.dll
2009-07-21 17:17 2,670,720 a------- c:\windows\system32\ativvaxx.dll
2009-07-21 17:01 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-07-21 16:57 475,136 a------- c:\windows\system32\atikvmag.dll
2009-07-21 16:55 126,976 a------- c:\windows\system32\atiadlxx.dll
2009-07-21 16:54 17,408 a------- c:\windows\system32\atitvo32.dll
2009-07-21 16:53 45,056 a------- c:\windows\system32\aticalrt.dll
2009-07-21 16:53 45,056 a------- c:\windows\system32\aticalcl.dll
2009-07-21 16:52 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-07-21 16:52 3,227,648 a------- c:\windows\system32\aticaldd.dll
2009-07-21 16:48 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-07-21 10:40 614,400 -------- c:\windows\system32\ati2sgag.exe
2009-07-17 21:03 58,880 a------- c:\windows\system32\atl.dll
2009-07-15 16:40 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2007-05-07 09:29 48,212 ac------ c:\docume~1\jacobl~1.jac\applic~1\wklnhst.dat
2007-04-19 22:56 89,424 ac------ c:\docume~1\jacobl~1.jac\applic~1\GDIPFONTCACHEV1.DAT
2001-11-23 13:08 712,704 a------- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 21:41:17,50 ===============

Attached Files

Edited by Chubby, 03 October 2009 - 03:27 PM.

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,805 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:32 AM

Posted 03 October 2009 - 09:51 PM

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux variant is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Virut is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Chubby

  • Topic Starter

  • Members
  • 9 posts
  • Local time:03:32 PM

Posted 04 October 2009 - 04:42 AM

Arg, damnit. Oh well, I guess it's due time for a clean install anyway.

Do I need to clean all partitions?

Thanks for the quick reply.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,805 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:32 AM

Posted 04 October 2009 - 03:03 PM

VIRUT is insidious. It is best to reformat the entire hard-drive before reinstalling the OS. This will remove all partitions.

You need to back up personal data before reformatting.

It is best to back up only the data you really need and can't replace - like word files, spreadsheets, pictures and other important (personal) data files you are in need of such as your e-mail. Reformatting will destroy them all and you cannot retrieve the files once you have performed the reformat. There is no harm in backing up documents and other important (personal) data. I suggest scanning the living daylights out of these files before putting them back on the newly reformatted drive.

Do NOT back up any Operating System-related files and files you do not recognize. Files that you should not backup include those with the following extensions:


If you need assistance in reformatting and reinstalling, please create a new topic in the XP forum.

To protect yourself against malware and reduce your chance of reinfection in the future, I really recommend to have a look at following links (giving some advice and tips):Orange Blossom :(

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Chubby

  • Topic Starter

  • Members
  • 9 posts
  • Local time:03:32 PM

Posted 04 October 2009 - 04:01 PM

I've now reformatted and reinstalled windows xp. Can I post a log or something, so you can check if my system is clean?

Edited by Chubby, 04 October 2009 - 04:01 PM.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,805 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:32 AM

Posted 04 October 2009 - 08:23 PM

Hello Chubby,

Wow! That was fast. After a reformat and clean install, you SHOULD be clean. If you wish to post a log verify that you are indeed clean after the reformat, please start a new topic. Title it something like:

Reformatted because of VIRUT
Am I clean?

The reason why I am requesting that you post a fresh topic is that while I can sometimes recognize when someone has VIRUT and can instruct folks about what needs to be done in that situation, I am not otherwise trained in analyzing logs.

Please note that the HiJack This team is VERY busy, and it can take about 2 weeks before you get a response, though it might be sooner. That's why I responded to your topic in this situation. If you post a new topic, please check it once a day for a response as the e-mail notification system is unreliable.

Also, I wished to comment on the following from your initial post for the benefit of anyone reading this topic:

UPDATE: I've just tried downloading combofix

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.

From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,805 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:32 AM

Posted 11 October 2009 - 12:59 AM


I see that you have your new topic posted here: http://www.bleepingcomputer.com/forums/t/262266/reformatted-after-virut/

Please note that you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users