Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virut


  • Please log in to reply
9 replies to this topic

#1 rtoddbensel

rtoddbensel

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 13 February 2010 - 11:00 PM

Hi!
I'm running an OEM version (no install disk!) of XP on an Asus 1000ha I bought new. It has sp 2 & 3 and is fully patched through Feb 12, 2010 from microsoft update. I keep active x shut off, use firefox and keep java disabled with noscript unless I want it to run. It has one antivirus program in operation full time - Avira free version, but I have installed and scan routinely with Malwarebytes, Superantispyware, and A-squared Free - all the free versions. It was running slightly slower so did a complete clean, scanned and found nothing. Then I booted into safe mode, used a pin drive with Portable Apps ClamWin, and found W32.Virut-82. I had ClamWin quarantine these file but did not restart. Here's the description from ClamWin about what it quarantined.

C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Permission denied
C:\Documents and Settings\Todd\Local Settings\temp\nse5.tmp: Permission denied
C:\pagefile.sys: Permission denied
C:\WINDOWS\ERDNT\cache\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\ERDNT\cache\userinit.exe: moved to 'C:\Program Files\Portable Apps\PortableApps\ClamWinPortable\Data\quarantine\userinit.exe.infected'
C:\WINDOWS\I386\USERINIT.EX_: W32.Virut-82 FOUND
C:\WINDOWS\I386\USERINIT.EX_: moved to 'C:\Program Files\Portable Apps\PortableApps\ClamWinPortable\Data\quarantine\USERINIT.EX_.infected'
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied
C:\WINDOWS\system32\dllcache\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\system32\dllcache\userinit.exe: moved to 'C:\Program Files\Portable Apps\PortableApps\ClamWinPortable\Data\quarantine\userinit.exe.infected.000'
C:\WINDOWS\system32\userinit.exe: W32.Virut-82 FOUND
C:\WINDOWS\system32\userinit.exe: moved to 'C:\Program Files\Portable Apps\PortableApps\ClamWinPortable\Data\quarantine\userinit.exe.infected.001'

----------- SCAN SUMMARY -----------
Known viruses: 712836
Engine version: 0.95.3
Scanned directories: 4598
Scanned files: 39172
Infected files: 4
Data scanned: 10099.02 MB
Data read: 7110.30 MB (ratio 1.42:1)
Time: 7248.562 sec (120 m 48 s)

From everything that I can read on the web, I'm toast because I nave no install disk. I will not reboot from safe mode until you can give me some directions. Many thanks.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:16 PM

Posted 14 February 2010 - 12:54 AM

Unfortunately, Virut is not curable....

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
*.exe
*.scr
*.htm
*.html
*.xml
*.zip
*.rar
*.doc
*.jpg
*.pdf

Backup all your documents and important items only.
DO NOT backup any files mentioned above.

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 rtoddbensel

rtoddbensel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 14 February 2010 - 01:07 AM

Thanks for the good advice. I only have one problem - I don't have an install disk! ASUS sold these machines without one. I have backups of all of all my non executable files. But I don't know what to do about the operating system disk! Can I replace the .dll's using replacements from another operating system disk? Or is that just asking for trouble. And as far as banking, credit cards, or other security related issues, I just don't do it - I mean that really! I don't bank online, purchase online, or do any important business online, just browse.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:16 PM

Posted 14 February 2010 - 01:17 AM

Since you have your data backed up, you can use Acer eRecovery to restore computer to its original state.
You should be able to access it by pressing ALT+F10 (desktop), F10 (laptop) at Acer logo.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:16 AM

Posted 14 February 2010 - 01:19 AM

Hello rtoddbensel,

Couple of things here......

Posting in the wrong forum lets regular members who should NOT be posting malware advice, post to the users. :thumbsup: Broni is not qualified or allowed to be giving you advice on this forum, anywhere. Please remember that for the future and be careful where you post. :trumpet:

That said.....you are just going to have to cut your losses here. If you do any part of what you want to do, anything pulled from this infected machine will just infect the clean one every time. Don't do it! If you cannot get a disk from ASUS (they should supply you with one if you ask), then you'll just have to purchase a new disk. More info on what you have :

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

There are no exceptions here, I'm sorry to say. :flowers:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 rtoddbensel

rtoddbensel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 14 February 2010 - 01:23 AM

thanks tea!
I'll just contact ASUS and see if they can supply a disk and then reformat. I thought that this is where it would end up. Hope springs eternal!

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:16 AM

Posted 14 February 2010 - 01:27 AM

You're welcome, though I wish I could have given you better news. :thumbsup:

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:16 PM

Posted 14 February 2010 - 01:27 AM

Broni is not qualified or allowed to be giving you advice on this forum, anywhere

I apologize for breaking a rule :thumbsup:

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:16 AM

Posted 16 February 2010 - 08:27 AM

Someone has alerted me that ClamWin may have false positives on Userinit.exe stating it is virut. You may want to read this topic:

http://forums.clamwin.com/viewtopic.php?p=11616

Please scan c:\Windows\System32\userinit.exe with http://www.virustotal.com first before reinstalling your computer..

#10 massx

massx

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 16 February 2010 - 12:55 PM

Update your Clamwin virus db and you should get an all clear. Clam was very slow in responding to this false positive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users