Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My first Virus...Virut


  • This topic is locked This topic is locked
20 replies to this topic

#1 karagarga

karagarga

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 01 November 2013 - 06:11 PM

    So I will try to help in advance. My main question is If I do have the Virut virus
 do I have to format all of my drives ? or just my Operating System ? My OS is on a
OCZ 128 SSD and I also have one 2TG and two 1TG drives all of which have important
information on them. Here is a copy ( http://speccy.piriform.com/results/
FinKY34kHaKNmj4mzZLDcp3 ). I have used rKill in Safe mode and also used Combofix which
 gave me the "Virut" error message. Here is also the Bluescreen download info as well.

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,624 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 PM

Posted 06 November 2013 - 06:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/512631 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 06 November 2013 - 11:38 PM

I tried to post a zip file but was unable. Here are the results (copy & paste). My "H" harddrive is failing and I am in the process of

transfering everything and then I will replace it with another harddrive.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16720

Run by computer at 22:23:06 on 2013-11-06

Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.12286.9680 [GMT -6:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

AV: Advanced SystemCare Ultimate *Enabled/Updated* {1C304DC4-1D72-5DB9-B33A-43B638ECFD30}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascsvc.exe

C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\Explorer.EXE

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe

C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\Monitor.exe

C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCTray.exe

C:\Program Files (x86)\D-Link\DWA-548\ANIWConnService.exe

C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\XSrvSetup.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe

C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler64.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe

C:\Program Files (x86)\Gigabyte\GIGABYTE OC_GURU II\OC_GURU.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe

C:\Program Files (x86)\D-Link\DWA-548\AirNCFG.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe

C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings64.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe

C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\Asc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.yahoo.com/?type=994519&fr=spigot-yhp-ie

uDefault_Page_URL = about:blank

uURLSearchHooks: Vuze Remote Toolbar: {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\8.1\vuzeToolbarIE.dll

mWinlogon: Userinit = userinit.exe

BHO: Vuze Remote Toolbar: {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\8.1\vuzeToolbarIE.dll

BHO: Slick Savings: {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} - C:\Users\computer\AppData\Roaming\Slick Savings\Coupons.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Advanced SystemCare Browser Protection: {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\BrowerProtect\ASCPlugin_Protection.dll

TB: Vuze Remote Toolbar: {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files (x86)\Vuze Remote Toolbar\IE\8.1\vuzeToolbarIE.dll

uRun: [Advanced SystemCare Ultimate] "C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCTray.exe" /AutoStart

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe

uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

uRun: [eMuleAutoStart] C:\Program Files (x86)\eMule\emule.exe -AutoStart

mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [CMCService] "C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe"

mRun: [D-Link D-Link DWA-548] C:\Program Files (x86)\D-Link\DWA-548\AirNCFG.exe

mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"

StartupFolder: C:\Users\computer\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GIGATR~1.LNK - C:\Program Files (x86)\GigaTribe\gigatribe.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GIGABY~1.LNK - C:\Program Files (x86)\Gigabyte\GIGABYTE OC_GURU II\OC_GURU.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{30F0E4D5-9AA7-451E-AD96-3690BEBDF1C9} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{79E09282-AC86-471B-BF50-89E4514B093D} : DHCPNameServer = 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Slick Savings: {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} - C:\Users\computer\AppData\Roaming\Slick Savings\Coupons64.dll

x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\computer\AppData\Roaming\Mozilla\Firefox\Profiles\3vo3ctrq.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo!

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p=

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll

FF - ExtSQL: 2013-11-01 23:36; ascsurfingprotection@iobit.com; C:\Users\computer\AppData\Roaming\Mozilla\Firefox\Profiles\3vo3ctrq.default\extensions\ascsurfingprotection@iobit.com

FF - ExtSQL: 2013-11-04 22:24; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - ExtSQL: 2013-11-06 15:17; vuze@mybrowserbar.com; C:\Program Files (x86)\Vuze Remote Toolbar\FF

FF - ExtSQL: 2013-11-06 15:37; savingsslider@mybrowserbar.com; C:\Users\computer\AppData\Roaming\Mozilla\Firefox\Profiles\3vo3ctrq.default\extensions\savingsslider@mybrowserbar.com

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]

R1 anodlwf;ANOD Network Security Filter driver;C:\Windows\System32\drivers\anodlwfx.sys [2013-11-2 15872]

R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2013-11-1 21616]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-11-1 283064]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-5-23 143120]

R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCSvc.exe [2013-11-1 1051088]

R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2013-10-24 807800]

R2 ASCAntivirusSrv;AdvancedSystemCareAntivirus;C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCAvSvc.exe [2013-11-1 623936]

R2 D_Link_DWA-548_WPS;D_Link_DWA-548_WPS Service;C:\Program Files (x86)\D-Link\DWA-548\ANIWConnService.exe [2013-11-2 53248]

R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2013-11-1 68136]

R2 JMB36X;JMB36X;C:\Windows\SysWOW64\XSrvSetup.exe [2013-11-1 72280]

R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-10-9 3275136]

R3 GPCIDrv;GPCIDrv;C:\Program Files (x86)\Gigabyte\GIGABYTE OC_GURU II\GPCIDrv64.sys [2010-2-4 14376]

R3 netr28x;D-Link 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\Dnetr28x.sys [2013-11-2 1813056]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [1999-12-31 80384]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [1999-12-31 181248]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-11-1 685672]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]

S3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2013-11-1 46136]

S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]

S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]

S3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2013-11-1 160256]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-6-18 139616]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-8-12 366600]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]

S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2013-11-1 16152]

S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]

S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2010-11-21 34816]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-24 1255736]

.

=============== Created Last 30 ================

.

2013-11-06 21:18:02 -------- d-----w- C:\Users\computer\.swt

2013-11-06 21:17:34 -------- d-----w- C:\Users\computer\AppData\Roaming\Slick Savings

2013-11-06 21:17:34 -------- d-----w- C:\Users\computer\AppData\Local\Slick Savings

2013-11-06 21:17:32 -------- d-----w- C:\Program Files (x86)\Application Updater

2013-11-06 21:17:28 -------- d-----w- C:\Program Files (x86)\Vuze Remote Toolbar

2013-11-06 21:17:28 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot

2013-11-06 21:16:41 -------- d-----w- C:\Users\computer\AppData\Roaming\Azureus

2013-11-06 21:16:38 -------- d-----w- C:\Program Files (x86)\Vuze

2013-11-06 20:15:48 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0866E61D-F853-4976-9B27-9068B5C84076}\offreg.dll

2013-11-06 07:36:27 736952 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll

2013-11-06 02:12:40 10280728 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0866E61D-F853-4976-9B27-9068B5C84076}\mpengine.dll

2013-11-05 04:40:13 1974616 ----a-w- C:\Windows\SysWow64\D3DCompiler_42.dll

2013-11-05 04:40:12 1892184 ----a-w- C:\Windows\SysWow64\D3DX9_42.dll

2013-11-05 04:22:45 -------- d-----r- C:\Program Files (x86)\Skype

2013-11-04 22:47:44 86016 ----a-w- C:\Windows\unvise32.exe

2013-11-04 22:47:13 -------- d-----w- C:\Program Files (x86)\IPCamClient

2013-11-04 22:46:57 749568 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll

2013-11-04 22:46:57 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll

2013-11-04 22:46:57 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe

2013-11-04 22:46:57 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll

2013-11-04 22:46:57 180224 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll

2013-11-04 22:46:56 323716 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll

2013-11-04 22:46:56 192644 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll

2013-11-04 09:48:46 10280728 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-11-03 09:42:56 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll

2013-11-03 00:02:04 -------- d-----w- C:\Users\computer\AppData\Roaming\MPC-HC

2013-11-02 19:30:26 -------- d-----w- C:\Users\computer\AppData\Local\Shalsoft

2013-11-02 18:27:37 -------- d-----w- C:\Program Files (x86)\GigaTribe

2013-11-02 17:34:45 -------- d-----w- C:\Users\computer\AppData\Roaming\OpenOffice

2013-11-02 17:34:12 -------- d-----w- C:\Program Files (x86)\OpenOffice 4

2013-11-02 17:31:56 -------- d-----w- C:\Program Files (x86)\OpenOffice

2013-11-02 17:15:03 302080 ------w- C:\Windows\lwd.exe

2013-11-02 17:10:03 327008 ----a-w- C:\Windows\System32\RaCoInstx.dll

2013-11-02 17:10:03 1813056 ----a-w- C:\Windows\System32\drivers\Dnetr28x.sys

2013-11-02 17:10:03 15872 ----a-w- C:\Windows\System32\drivers\anodlwfx.sys

2013-11-02 17:10:02 -------- d-----w- C:\Program Files (x86)\D-Link

2013-11-02 16:59:47 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-11-02 16:39:38 -------- d-----w- C:\Program Files\PeerBlock

2013-11-02 16:34:59 -------- d-----w- C:\ProgramData\eMule

2013-11-02 16:34:32 -------- d-----w- C:\Users\computer\AppData\Local\eMule

2013-11-02 16:34:30 -------- d-----w- C:\Program Files (x86)\eMule

2013-11-02 12:49:35 -------- d-----w- C:\Program Files\PlayReady

2013-11-02 12:45:11 -------- d-----w- C:\Program Files\Common Files\ATI Technologies

2013-11-02 12:43:40 148992 ----a-w- C:\Windows\System32\atinpprr.ax

2013-11-02 12:43:40 1288320 ----a-w- C:\Windows\System32\drivers\atinavrr.sys

2013-11-02 12:43:40 110592 ----a-w- C:\Windows\SysWow64\atinpwrr.ax

2013-11-02 12:43:35 24576 ----a-w- C:\Windows\System32\drivers\NcRemotePci.SYS

2013-11-02 12:43:06 -------- d-----w- C:\Program Files\ATI Technologies

2013-11-02 12:43:02 -------- d-----w- C:\Program Files\ATI

2013-11-02 12:39:10 -------- d-----w- C:\Users\computer\AppData\Local\ATI

2013-11-02 10:14:56 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-11-02 06:27:00 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll

2013-11-02 06:16:44 2876528 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2013-11-02 06:16:29 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll

2013-11-02 06:16:21 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2013-11-02 06:07:20 -------- d-----w- C:\Windows\Panther

2013-11-02 05:41:38 -------- d-----w- C:\Program Files (x86)\Renesas Electronics

2013-11-02 05:38:48 46136 ----a-w- C:\Windows\System32\drivers\amdiox64.sys

2013-11-02 05:38:48 -------- d-----w- C:\ProgramData\AMD

2013-11-02 05:38:41 16552 ----a-w- C:\Windows\System32\drivers\AtiPcie64.sys

2013-11-02 05:27:06 315904 ----a-w- C:\Windows\SysWow64\Difx7a7c.rra

2013-11-02 05:26:55 123704 ----a-w- C:\Windows\System32\drivers\jraid.sys

2013-11-02 05:24:53 -------- d-----w- C:\Users\computer\AppData\Local\Adobe

2013-11-02 05:21:45 -------- d-----w- C:\GvTemp

2013-11-02 05:18:13 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FCC445EE-FBC4-45AD-B834-FA32258D0EAB}\gapaengine.dll

2013-11-02 05:05:03 74344 ----a-w- C:\Windows\System32\RtNicProp64.dll

2013-11-02 05:05:03 685672 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys

2013-11-02 05:03:16 16152 ----a-w- C:\Windows\System32\drivers\SWDUMon.sys

2013-11-02 05:01:59 -------- d-----w- C:\Windows\System32\appmgmt

2013-11-02 05:00:52 -------- d-----w- C:\Users\computer\AppData\Local\SlimWare Utilities Inc

2013-11-02 04:53:32 -------- d-----w- C:\Users\computer\AppData\Local\Macromedia

2013-11-02 04:50:27 -------- d-----w- C:\Users\computer\AppData\Local\Google

2013-11-02 04:40:12 -------- d-----w- C:\ProgramData\eSafe

2013-11-02 04:39:31 283064 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys

2013-11-02 04:39:29 -------- d-----w- C:\Users\computer\AppData\Roaming\DAEMON Tools Lite

2013-11-02 04:39:28 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite

2013-11-02 04:38:49 -------- d-----w- C:\ProgramData\DAEMON Tools Lite

2013-11-02 04:36:23 -------- d-----w- C:\ProgramData\{D76294E6-03B8-4971-AF2E-3F846161A690}

2013-11-02 04:36:23 -------- d-----w- C:\ProgramData\{5A85B23A-4B58-47D1-9B9C-DFBD7866099F}

2013-11-02 04:36:23 -------- d-----w- C:\IObit

2013-11-02 04:36:22 -------- d-----w- C:\Users\computer\AppData\Roaming\IObit

2013-11-02 04:36:22 -------- d-----w- C:\ProgramData\IObit

2013-11-02 04:36:16 -------- d-----w- C:\Program Files (x86)\IObit

2013-11-02 04:35:12 -------- d-----w- C:\Users\computer\AppData\Roaming\IrfanView

2013-11-02 04:35:12 -------- d-----w- C:\Program Files (x86)\IrfanView

2013-11-02 04:26:45 -------- d-----w- C:\Users\computer\AppData\Roaming\SUPERAntiSpyware.com

2013-11-02 04:26:28 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2013-11-02 04:26:28 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2013-11-02 04:24:18 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client

2013-11-02 04:24:17 -------- d-----w- C:\Program Files\Microsoft Security Client

2013-11-02 04:20:58 -------- d-----w- C:\Program Files (x86)\K-Lite Codec Pack

2013-11-02 04:20:28 -------- d-----w- C:\Users\computer\AppData\Local\Programs

2013-11-02 04:18:07 8704 ----a-w- C:\Program Files (x86)\vdub.exe

2013-11-02 04:18:07 73728 ----a-w- C:\Program Files (x86)\vdremote.dll

2013-11-02 04:18:07 69632 ----a-w- C:\Program Files (x86)\vdicmdrv.dll

2013-11-02 04:18:07 69632 ----a-w- C:\Program Files (x86)\auxsetup.exe

2013-11-02 04:18:07 65536 ----a-w- C:\Program Files (x86)\vdsvrlnk.dll

2013-11-02 04:18:07 3584 ----a-w- C:\Program Files (x86)\vdlaunch.exe

2013-11-02 04:18:07 3152384 ----a-w- C:\Program Files (x86)\VirtualDub.exe

2013-11-02 04:18:07 -------- d-----w- C:\Program Files (x86)\plugins32

2013-11-02 04:18:07 -------- d-----w- C:\Program Files (x86)\aviproxy

2013-11-02 04:04:48 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2013-11-02 04:04:48 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2013-11-02 04:04:48 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2013-11-02 04:04:48 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2013-11-02 04:04:48 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2013-11-02 04:04:48 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2013-11-02 04:04:48 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2013-11-02 04:02:12 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-11-02 04:02:12 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-11-02 03:58:04 -------- d-----w- C:\Program Files\Speccy

2013-11-02 03:57:11 -------- d-----w- C:\Windows\System32\MRT

2013-11-02 03:56:47 81408 ----a-w- C:\Windows\System32\imagehlp.dll

2013-11-02 03:56:47 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2013-11-02 03:56:47 5120 ----a-w- C:\Windows\System32\wmi.dll

2013-11-02 03:56:47 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2013-11-02 03:56:47 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2013-11-02 03:53:12 -------- d-----w- C:\Program Files\CCleaner

2013-11-02 03:39:50 15855568 ----a-w- C:\Windows\SysWow64\nvwgf2um.dll

2013-11-02 03:39:50 1435504 ----a-w- C:\Windows\System32\nvumdshimx.dll

2013-11-02 03:39:31 3067560 ----a-w- C:\Windows\System32\nvapi64.dll

2013-11-02 03:39:05 -------- d-----w- C:\Program Files\NVIDIA Corporation

2013-11-02 03:37:32 25640 ----a-w- C:\Windows\gdrv.sys

2013-11-02 03:32:28 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2013-11-02 03:32:26 10280728 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C7C31B99-2499-408C-BBF5-B5D15795A27C}\mpengine.dll

2013-11-02 03:26:18 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll

2013-11-02 03:25:55 30720 ----a-w- C:\Windows\System32\cryptdlg.dll

2013-11-02 03:24:58 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL

2013-11-02 03:23:58 162392 ----a-w- C:\Windows\SysWow64\xRaidAPI.dll

2013-11-02 03:23:57 72280 ------r- C:\Windows\SysWow64\XSrvSetup.exe

2013-11-02 03:23:57 1976920 ----a-w- C:\Windows\SysWow64\xRaidSetup.exe

2013-11-02 03:23:56 -------- d-----w- C:\RaidTool

2013-11-02 03:23:43 -------- d-sh--w- C:\Windows\Installer

2013-11-02 03:23:36 -------- d-----w- C:\Windows\RaidTool

2013-11-02 03:22:47 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll

2013-11-02 03:18:46 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys

2013-11-02 03:17:39 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys

2013-11-02 03:17:39 723456 ----a-w- C:\Windows\System32\EncDec.dll

2013-11-02 03:17:39 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll

2013-11-02 03:17:38 861696 ----a-w- C:\Windows\System32\oleaut32.dll

2013-11-02 03:17:38 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll

2013-11-02 03:17:38 331776 ----a-w- C:\Windows\System32\oleacc.dll

2013-11-02 03:17:38 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll

2013-11-02 03:17:35 461312 ----a-w- C:\Windows\System32\scavengeui.dll

2013-11-02 03:17:34 983488 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2013-11-02 03:17:34 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2013-11-02 03:17:34 144384 ----a-w- C:\Windows\System32\cdd.dll

2013-11-02 03:17:07 67072 ----a-w- C:\Windows\splwow64.exe

2013-11-02 03:17:07 559104 ----a-w- C:\Windows\System32\spoolsv.exe

2013-11-02 03:16:43 77312 ----a-w- C:\Windows\System32\packager.dll

2013-11-02 03:16:43 67072 ----a-w- C:\Windows\SysWow64\packager.dll

2013-11-02 03:16:29 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2013-11-02 03:16:29 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2013-11-02 03:16:29 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2013-10-27 14:12:52 18286416 ----a-w- C:\Windows\System32\nvwgf2umx.dll

2013-10-09 16:58:02 4879744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll

2013-10-09 16:58:02 4879744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll

.

==================== Find3M  ====================

.

2013-11-02 10:14:56 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-10-27 14:12:50 1241376 ----a-w- C:\Windows\SysWow64\nvumdshim.dll

2013-10-25 18:00:00 127488 ----a-w- C:\Windows\System32\ff_vfw.dll

2013-10-25 18:00:00 112640 ----a-w- C:\Windows\SysWow64\ff_vfw.dll

2013-09-14 01:10:19 497152 ----a-w- C:\Windows\System32\drivers\afd.sys

2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll

2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll

2013-08-29 02:17:48 5549504 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-08-29 02:16:35 1732032 ----a-w- C:\Windows\System32\ntdll.dll

2013-08-29 02:16:28 243712 ----a-w- C:\Windows\System32\wow64.dll

2013-08-29 02:16:14 859648 ----a-w- C:\Windows\System32\tdh.dll

2013-08-29 02:13:28 878080 ----a-w- C:\Windows\System32\advapi32.dll

2013-08-29 01:51:45 3969472 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-08-29 01:51:45 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-08-29 01:50:31 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2013-08-29 01:50:30 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll

2013-08-29 01:50:16 619520 ----a-w- C:\Windows\SysWow64\tdh.dll

2013-08-29 01:48:17 640512 ----a-w- C:\Windows\SysWow64\advapi32.dll

2013-08-29 01:48:15 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2013-08-29 00:49:53 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2013-08-29 00:49:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2013-08-29 00:49:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2013-08-29 00:49:49 2048 ----a-w- C:\Windows\SysWow64\user.exe

2013-08-28 01:21:06 3155968 ----a-w- C:\Windows\System32\win32k.sys

2013-08-22 17:09:56 256088 ----a-w- C:\Windows\System32\unrar64.dll

2013-08-22 17:09:56 217176 ----a-w- C:\Windows\SysWow64\unrar.dll

.

============= FINISH: 22:23:14.72 ===============

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume6
Install Date: 11/1/2013 10:12:50 PM
System Uptime: 11/6/2013 2:15:30 PM (8 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. |  | GA-890GPA-UD3H
Processor: AMD Phenom™ II X4 980 Processor | Socket M2 | 3700/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 119 GiB total, 30.795 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 0 GiB total, 0.031 GiB free.
G: is FIXED (NTFS) - 931 GiB total, 415.208 GiB free.
H: is FIXED (NTFS) - 931 GiB total, 842.491 GiB free.
I: is FIXED (NTFS) - 1863 GiB total, 1028.367 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: USB camera
Device ID: USB\VID_045E&PID_00F5&MI_00\6&14EB0750&0&0000
Manufacturer:
Name: USB camera
PNP Device ID: USB\VID_045E&PID_00F5&MI_00\6&14EB0750&0&0000
Service:
.
==== System Restore Points ===================
.
RP28: 11/2/2013 7:49:32 AM - Windows Update
RP29: 11/2/2013 11:59:32 AM - Installed Java 7 Update 45
RP30: 11/2/2013 12:11:53 PM - Installed DWA-548
RP31: 11/2/2013 12:32:46 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
RP32: 11/2/2013 12:34:06 PM - Installed OpenOffice 4.0.1
RP33: 11/4/2013 3:00:11 AM - Windows Update
RP34: 11/4/2013 4:47:03 PM - Installed IPCamClient
RP35: 11/4/2013 10:40:07 PM - Installed DirectX
RP36: 11/5/2013 3:40:40 PM - Installed DirectX
RP37: 11/6/2013 3:00:10 AM - Windows Update
.
==== Installed Programs ======================
.
@BIOS
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.05)
Advanced SystemCare Ultimate 6
ATI AVIVO64 Codecs
ATI Catalyst Install Manager
AutoGreen B12.0206.1
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
CCleaner
DAEMON Tools Lite
DWA-548
EasySaver B9.1214.1
eMule
GIGABYTE OC_GURU II
GigaTribe 3.04.012
Google Earth
Google Update Helper
IP Camera
IPCamClient
IrfanView (remove only)
JMicron JMB36X Driver
K-Lite Mega Codec Pack 10.1.0
Microsoft Corporation
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Mozilla Firefox 25.0 (x86 en-US)
Mozilla Maintenance Service
NVIDIA 3D Vision Controller Driver 306.38
NVIDIA Control Panel 306.38
NVIDIA Graphics Driver 306.38
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0807
NVIDIA Update 1.10.8
NVIDIA Update Components
ON_OFF Charge B11.1102.1
OpenOffice 4.0.1
PeerBlock 1.1 (r518)
PlayReady PC Runtime amd64
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Renesas Electronics USB 3.0 Host Controller Driver
Skype Click to Call
Skype™ 6.10
Slick Savings
Speccy
SUPERAntiSpyware
Vuze
Vuze Remote Toolbar v8.1
WinRAR 5.00 (64-bit)
.
==== Event Viewer Messages From Past Week ========
.
11/6/2013 3:00:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft XML Core Services 4.0 Service Pack 2 for x64-based Systems (KB954430).
11/6/2013 3:00:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft XML Core Services 4.0 Service Pack 2 for x64-based Systems (KB973688).
11/5/2013 12:59:26 PM, Error: Ntfs [42]  - The user disk quota information is unusable. To ensure accuracy, the file system quota information on the device  with label "I:" will be rebuilt.
11/5/2013 10:34:56 PM, Error: Microsoft-Windows-BitLocker-Driver [24615]  - Metadata initial read: Primary metadata record on volume J: could not be found. Volume needs recovery.
.
==== End Of File ===========================
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 07 November 2013 - 04:08 AM

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a dangerous polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.


The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut


The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut


There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.


...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 07 November 2013 - 09:43 AM

   "

Quote

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).   "  Only reformat the system disk ? or do I also have to format the addition hdd I have installed as well ? Where do I draw the line ? I have a disk that has the "Ultimate Boot" which I have used "HDD/Disk Wiping" tools before on Xp machines. Do you suggest I use any of these programs such as "Darik's Boot and Nuke" to wipe clean of the hdds ? Any and all Help is more than welcome.

 Since all of my hdds are WD I can download the "Acronis True Image WD Edition" and use that. (http://wdc.custhelp.com/app/answers/detail/a_id/1211/p/85,206/c/0/session/L3RpbWUvMTM4MzgzNTAyOC9zaWQvRGszQ0NMRWw%3D). Also is there a chance that it can save itself directly onto the Mobo somehow ?

 

 

My question is where is this virus stored ? I do have some files that need to be kept. I just removed the bad 1TB hdd last night and replaced it with two 2TB hdds but if the infection is still there do I need to format  all of my WD hdds (thats 4 of them) plus reformat the ssd and re-install the OS again ? I have a few custom video files that I have for clients is it possible for the virus to hide inside of the video as well ? Here is a snap shot using Speccy (http://speccy.piriform.com/results/yVn7PQdB6b7gg0AYYPi0NqS).

 Can the Virut hide in the memory of the gpu as well ?



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 07 November 2013 - 10:02 AM

Virut may be within several file types, as you can se at the top of my last post.
It spreads through usb devices, so the only way to be 100% sure is backing up important files to CD/DVD (excluding the "critical" file types) and wiping the place.

Depending on the type of your hard drives, your freshly installed system will become reinfected in the moment you attach one of them.

You cannot say where the virus is stored´- it doesn´t have its own, locatable files as other viruses. It injects its malicious code into other files and this is what it makes almost impossible to remove by guarantee.

video files, sound files and other user data like this may be backed up and restored to the reinstalled system, but don´t backup any:

.exe, .scr, .zip, .cab, rar, .php, .asp, .htm, .html, .xml or other script files.

Edited by TB-Psychotic, 07 November 2013 - 10:05 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 07 November 2013 - 01:20 PM

Thank you very much.



#8 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 07 November 2013 - 07:48 PM

I guess I should be asking if just the windows format is enough ? or should I go with an after market wiping tool from "Ultimate Boot" ?



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 08 November 2013 - 02:31 AM

These wiping tools are only neccessary if a fornesic restore of any data on this drive shall be impossible.

A normal format run will fit - do NOT select "quick format"!


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 08 November 2013 - 07:01 PM

 I will do this tonight and get back to someone here by tomorrow afternoon. Thanks again.



#11 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 09 November 2013 - 09:51 AM

 

Just to let you know I am still here. I ended up using a Windows home 7 64bit disk to do two slow formats. Then went ahead and used ("copywipe"1.14) 5 passes. Took most of the night just on the OCZ SSD 128GB which my OS is on and will slowly start to add my four WD 2TB drives too one at a time. They just have video on them nothing else.



#12 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 09 November 2013 - 09:52 AM

 

 

Just to let you know I am still here. I ended up using a Windows home 7 64bit disk to do two slow formats. Then went ahead and used ("copywipe"1.14) 5 passes. Took most of the night just on the OCZ SSD 128GB which my OS is on and will slowly start to add my four WD 2TB drives too one at a time. They just have video on them nothing else.

 

I installed Windows 764bit Ultimate.


 

 

 

Just to let you know I am still here. I ended up using a Windows home 7 64bit disk to do two slow formats. Then went ahead and used ("copywipe"1.14) 5 passes. Took most of the night just on the OCZ SSD 128GB which my OS is on and will slowly start to add my four WD 2TB drives too one at a time. They just have video on them nothing else.

 

I installed Windows 7 64bit Ultimate.

 



#13 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 10 November 2013 - 10:09 PM

 a cuzin of mine sent me this "http://www.symantec.com/security_response/writeup.jsp?docid=2009-022016-4444-99" Tool and found nothing but I am still having the same problems as last time and figuire it might be some other type of virus ?



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 11 November 2013 - 03:28 AM

 and found nothing but I am still having the same problems as last time

what problems exactly do you have?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 karagarga

karagarga
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 11 November 2013 - 08:04 AM

Right now my main concern is random Blue Screen of Death running on Windows 7 64bit. Which has plagued me from the start.Could be in either MIE-10 or Firefox 25 both seem to be the latest editions. Could also be just idling or doing some minor video editing.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users