Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a possible VIRUT - ROOTKIT hybrid..?


  • This topic is locked This topic is locked
2 replies to this topic

#1 Irish Dave

Irish Dave

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:26 PM

Posted 16 September 2010 - 04:09 PM

Hello There,

First off, I'm happy to have found such a forum as this. I've read a lot from it in the past few days.

Let me tell you about my machine -- I built it entirely from scratch and have been using it nicely for almost 2 years now without any problems.

My OS is Windows XP with SP3.
My internet browser is Firefox 3.6.9

The problems began late Sunday night (13 SEP 2010) or early Monday morning, when I clicked on what I thought would be a hilarious "FAIL" video from within the Facebook wall. Instead, it took me to another site that I didn't recognize.

The problems mimic the Google Redirect Virus and its closely related "waiting for www.google-analytics.com" issue. I read articles both here and in other places on how to deal with that.

I've used HijackThis, MalwareBytes, TDSSKiller and attempted also to run ComboFix at the advice of an IT-professional (friend of mine) but was unable to run it due to an error that said the computer was infected with "Virut". I've tracked down registry keys and values, looked at processes, services and other things to try to solve this.

I'll tell you what I SEE and experience right now:

1. I see a mysterious file called "2008.exe" in the root of C:\ and when I delete it, it stays away until I reboot, and then it's back again.
2. I see a folder created also in the root of C:\ which has a long name and suffixed with .tmp, which contains but a single file, "iexplore.exe"
3. A mysterious process from C:\WINDOWS\ called svc2.exe kept starting until I edited my MSConfig settings in the Startup tab and unchecked it. SOMETHING, however, occasionally brings it back!
4. Everytime I restart, whether in regular or Safe Mode, IEXPLORE.EXE pops up as a process, even though I'm not (ever) running Internet Explorer, and it starts usually within 10 seconds of logging in. This process starts also regardless of whether I'm logged in as myself, Administrator, or anyone else (there's only one other active profile on my machine, belonging to my brother)
5. Upon restart, my hosts file gets rewritten exactly as follows:

127.0.0.1 www.Brenz.pl
#/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


212.117.178.25 www.google.com
212.117.163.43 search.yahoo.com

...that is, until I made the hosts file read-only, and it hasn't been hacked since.

6. As far as the "google redirect" issue goes, when I go to www.google.com and use the search engine that way, I can click on any result I find without problem. However, when I use the google search tool built in (I do not have the Google Toolbar installed), I get the same search results, but clicking on any of the links redirects me to random ads.


I have not heard any follow-up on the issue of Virut and whether or not there is a legitimate and permanent fix to it. It seemed that the consensus from more than a year ago was that if you had Virut, you were simply hosed. Is this still the case one year later??

I'll be ready to provide any other info and results/logs from new attempts to fix this upon request.

Many thanks,

Irish Dave

Edited by hamluis, 16 September 2010 - 05:19 PM.
Moved from XP to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:26 PM

Posted 25 September 2010 - 06:31 AM

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558
QUOTE(AVG Technologies)
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034
QUOTE(Network Associates)
W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:26 PM

Posted 29 September 2010 - 06:39 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users