Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Encountered A Worm? (insane amount of .exe files infected)

  • This topic is locked This topic is locked
9 replies to this topic

#1 ranfan


  • Members
  • 11 posts
  • Gender:Male
  • Local time:02:22 PM

Posted 20 February 2014 - 03:22 PM

Got hold of a friend's laptop because he needed help removing an infectioned and everytime files were removed, they just got reinfected after the computer was restarted


He didn't really do anything, but came across some aswMBR program and I asked him to take a screenshot and this was part of the scan



He mentioned seeing a lot of Win32:Vitro and Win32:Virut. He lend me the laptop, and I'm not sure what to do with it to be honest


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by Administrator at 14:39:13 on 2014-02-20
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3034.2367 [GMT -5:00]
============== Running Processes ================
C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Citrix\ICA Client\redirector.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
============== Pseudo HJT Report ===============
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = <local>;*.local
mWinlogon: Userinit = c:\windows\explorer.exe,
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Akamai NetSession Interface] "c:\documents and settings\administrator\local settings\application data\akamai\netsession_win.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\redirector.exe" /startup
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1349629193473
TCP: NameServer =
TCP: Interfaces\{5884C5EE-F5CF-4FE7-BF09-7094930E6B26} : DHCPNameServer =
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\citrix\icacli~1\RSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: SecurityProviders = msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
================= FIREFOX ===================
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5yq8wbxu.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\citrix\ica client\npicaN.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\tabletplugins\npWacomTabletPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
============= SERVICES / DRIVERS ===============
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2013-9-3 51400]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2013-9-3 40776]
R0 iastor7;iastor7;c:\windows\system32\drivers\iastor7.sys [2012-3-14 470808]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2012-3-14 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2012-3-14 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2012-3-14 13616]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2012-4-25 67960]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-10-12 242240]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2013-9-3 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2013-9-3 185672]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2013-11-9 121184]
R2 EaseUS Agent;EaseUS Agent Service;c:\program files\easeus\todo backup\bin\Agent.exe [2013-9-3 68168]
R2 Guard Agent;Guard Agent Service;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2013-9-3 23624]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-16 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-16 701512]
R2 WTabletServicePro;Wacom Professional Service;c:\program files\tablet\wacom\WTabletServicePro.exe [2014-1-8 531224]
R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [2012-11-26 32896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-16 22856]
R3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [2011-1-18 3072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-9-5 171680]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-10-9 1691480]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2013-8-24 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2013-8-24 9160]
S3 hidkmdf;KMDF Driver;c:\windows\system32\drivers\hidkmdf.sys [2014-1-8 12088]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007,;c:\windows\system32\drivers\libusb0.sys [2012-10-14 35392]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-11-13 35144]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2012-11-30 97552]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2013-9-1 27064]
S3 StkCMini;Syntek AVStream USB2.0 ATV;c:\windows\system32\drivers\StkCMini.sys [2013-10-26 1521544]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
S3 WacHidRouter;Wacom Hid Router;c:\windows\system32\drivers\wachidrouter.sys [2014-1-8 76600]
S3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\drivers\wacomrouterfilter.sys [2014-1-8 13112]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
S3 XDva405;XDva405;\??\c:\windows\system32\xdva405.sys --> c:\windows\system32\XDva405.sys [?]
=============== Created Last 30 ================
2014-02-20 19:24:12    --------    d-----w-    c:\windows\system32\Lang
2014-02-20 18:02:10    --------    d-sha-r-    C:\cmdcons
2014-02-20 17:21:30    98816    ----a-w-    c:\windows\sed.exe
2014-02-20 17:21:30    256000    ----a-w-    c:\windows\PEV.exe
2014-02-20 17:21:30    208896    ----a-w-    c:\windows\MBR.exe
2014-02-20 12:16:59    1324    ----a-w-    c:\documents and settings\administrator\local settings\application data\d3d9caps.tmp
2014-01-27 08:30:31    --------    d-----w-    c:\windows\system32\1058
2014-01-23 05:46:23    --------    d-----w-    c:\documents and settings\administrator\Shaders
2014-01-23 03:39:43    --------    d-----w-    c:\documents and settings\all users\application data\SystemRequirementsLab
==================== Find3M  ====================
2014-02-20 17:09:58    321024    ----a-w-    c:\windows\system32\WISPTIS.EXE
2014-02-20 17:08:54    53760    ----a-w-    c:\windows\system32\userinit.exe
2014-02-20 17:07:59    134144    ----a-w-    c:\windows\system32\sysocmgr.exe
2014-02-20 17:06:58    42496    ----a-w-    c:\windows\system32\shadow.exe
2014-02-20 17:05:59    52224    ----a-w-    c:\windows\system32\rsmsink.exe
2014-02-20 17:04:57    244224    ----a-w-    c:\windows\system32\PowerCalc.exe
2014-02-20 17:03:58    359424    ----a-w-    c:\windows\system32\netsetup.exe
2014-02-20 17:02:59    61440    ----a-w-    c:\windows\system32\mmcperf.exe
2014-02-20 17:01:58    286720    ----a-w-    c:\windows\system32\igfxsrvc.exe
2014-02-20 17:00:59    36352    ----a-w-    c:\windows\system32\eventvwr.exe
2014-02-20 16:59:59    57344    ----a-w-    c:\windows\system32\dplaysvr.exe
2014-02-20 16:59:59    38400    ----a-w-    c:\windows\system32\doskey.exe
2014-02-20 16:59:56    43520    ----a-w-    c:\windows\system32\dmremote.exe
2014-02-20 16:59:56    252416    ----a-w-    c:\windows\system32\dmadmin.exe
2014-02-20 16:59:55    32256    ----a-w-    c:\windows\system32\dllhst3g.exe
2014-02-20 16:46:20    45568    ----a-w-    c:\windows\system32\diskperf.exe
2014-02-20 16:46:18    191488    ----a-w-    c:\windows\system32\diskpart.exe
2014-02-20 16:46:16    114688    ----a-w-    c:\windows\system32\diantz.exe
2014-02-20 16:46:13    110592    ----a-w-    c:\windows\system32\dfrgfat.exe
2014-02-20 16:46:11    52736    ----a-w-    c:\windows\system32\defrag.exe
2014-02-20 16:46:08    57856    ----a-w-    c:\windows\system32\ddeshare.exe
2014-02-20 16:46:07    33792    ----a-w-    c:\windows\system32\dcomcnfg.exe
2014-02-20 16:46:04    43008    ----a-w-    c:\windows\system32\ctfmon.exe
2014-02-20 16:46:02    163840    ----a-w-    c:\windows\system32\cscript.exe
2014-02-20 16:46:01    41472    ----a-w-    c:\windows\system32\convert.exe
2014-02-20 16:46:00    35840    ----a-w-    c:\windows\system32\control.exe
2014-02-20 16:44:59    52736    ----a-w-    c:\windows\system32\at.exe
2014-02-20 16:42:21    38400    ----a-w-    c:\windows\hh.exe
2014-02-20 16:42:18    1061376    ----a-w-    c:\windows\explorer.exe
2014-01-17 02:59:00    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-17 02:59:00    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-19 09:06:07    15884    ----a-w-    c:\windows\system32\SSubTmr6.dll
2013-12-19 09:06:07    100364    ----a-w-    c:\windows\system32\vbaListView6.ocx
2013-12-19 02:10:01    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-12-19 01:46:50    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2013-12-04 16:35:55    1604376    ----a-w-    c:\windows\system32\Wacom_Tablet.dll
2013-12-04 16:35:55    1596696    ----a-w-    c:\windows\system32\Wacom_Touch_Tablet.dll
2013-12-04 16:35:55    1483032    ----a-w-    c:\windows\system32\Wintab32.dll
2013-12-04 16:35:54    1479960    ----a-w-    c:\windows\system32\WacomMT.dll
2013-11-28 00:24:18    121184    ----a-w-    c:\windows\system32\drivers\idmtdi.sys
============= FINISH: 14:40:28.10 ===============



Attached Files

BC AdBot (Login to Remove)



#2 aharonov


  • Malware Response Team
  • 2,441 posts
  • Gender:Male
  • Local time:09:22 PM

Posted 21 February 2014 - 04:36 AM


I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a dangerous polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

#3 ranfan

  • Topic Starter

  • Members
  • 11 posts
  • Gender:Male
  • Local time:02:22 PM

Posted 21 February 2014 - 06:34 AM

Thank you for your response. Wow, that sucks horribly. I can work with that though. I have a question regarding files... Would you recommend against backing up pictures? The client would like to have them, and I'm wondering if I can transfer them to a formatted flash drive or if it's just a done deal. Among the other files would like to be kept are a good deal of msword and .txt documents. Another thing that would like to be kept is the firefox profile. I'm ready to reformat at any time, and this all I need to know about before starting.

#4 aharonov


  • Malware Response Team
  • 2,441 posts
  • Gender:Male
  • Local time:09:22 PM

Posted 22 February 2014 - 01:46 PM

There are lot of different versions out there. Some infect only executables, others also infect other file types like word documents. From what I've seen so far I cannot definitvely say which files are infected.
So let's do a scan to get the big picture so we can decide how to proceed safely with backing up personal data before the reformat.

Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
  • Note: Do not forget to re-enable your antivirus application after running the above scan!

#5 ranfan

  • Topic Starter

  • Members
  • 11 posts
  • Gender:Male
  • Local time:02:22 PM

Posted 22 February 2014 - 07:52 PM

Kinda sad that this all got started from trying to modify old gameboy color games...



ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=5fafca5989373346865bdee37a8c63b7
# engine=17186
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-02-23 12:42:45
# local_time=2014-02-22 07:42:45 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=142470
# found=35
# cleaned=0
# scan_time=4017
sh=EEB7CED89322B3162D60FE6E8036BC85B2D8068D ft=1 fh=60580c0c6184fe40 vn="Win32/Virut.NBP virus" ac=I fn="C:\CanoScan\CNQL35\CNQSG77\TWUNK_32.EXE"
sh=4659940AE2C17302DDFCAC9A6D88AA21A9C92697 ft=1 fh=8c68b1fa6c8a3dab vn="Win32/Virut.NBP virus" ac=I fn="C:\dell\drivers\R274721\Vi64\DellTPad.exe"
sh=D2408C8A09A2BD9704AF39F818EC7AC9E9CCA46E ft=1 fh=08d2b982dc66508e vn="a variant of Win32/Bunndle potentially unsafe application" ac=I fn="C:\Documents and Settings\Administrator\Application Data\uTorrent\uTorrent.exe"
sh=EE9BBBC743CCAE4F4926A39E6FA5326A5F1F0248 ft=1 fh=cc7866909ae56fb1 vn="Win32/Virut.NBP virus" ac=I fn="C:\Documents and Settings\Administrator\Desktop\Good bleep\Pokémon Essentials v11 2012-12-23\extendtext.exe"
sh=51BBC7187CEBFEA1C67E5ED3B83910FACD8B6B68 ft=1 fh=7985ac8734e40b37 vn="Win32/Virut.NBP virus" ac=I fn="C:\Documents and Settings\Administrator\Desktop\Project64k_0_13 - Copy\Project64k.exe"
sh=A4C36F819DDD2E0FEBA4E295A24C267F1833AA5C ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.QMM trojan" ac=I fn="C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\49\68860031-681f409c"
sh=1ABB3BC1410FAA4113801A6005DB95D5FC906632 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2013-2465.BJ trojan" ac=I fn="C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\6\46e79106-73a8b9a7"
sh=DBA4EA18D4B81986FB466F47D8BCE0D4799135F9 ft=1 fh=f6ab25adfc596ee1 vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe"
sh=19E22EC3832297670957877D68702DDCF702FD54 ft=1 fh=6cc6d9fa7f269515 vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe"
sh=829B4F38B8C688B168531D9DF34E21FECF6022CF ft=1 fh=4d2b0193b68bd066 vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\EaseUS\Todo Backup\bin\bootsect.exe"
sh=3651F0222106E069048839CB95047A9FBB421456 ft=1 fh=c4e48ffe443e9f93 vn="a variant of Win32/TFTPD32.A potentially unsafe application" ac=I fn="C:\Program Files\EaseUS\Todo Backup\bin\PxeServer.dll"
sh=D939A41BBA177A4971EEBD9BF9F001FF18FBDC0A ft=1 fh=9223383008678d0b vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\Macromedia\Flash 8\Flash.exe"
sh=BDA34A0C525DF2F9E096FF212D21EE0EB8C7C44A ft=1 fh=82222da3fc000825 vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\Outlook Express\oemig50.exe"
sh=17416DAAAA7622B296D64B8E56D4C6AC24A0546B ft=1 fh=36838de39c71a3a2 vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\PSPdisp\source\installer\InstDrvExe\bin\InstDrvExe_x64.exe"
sh=1F400BF06D0CDB91F11C38B97639D5B7DE419E70 ft=1 fh=bb995ecb899871ea vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\SystemRequirementsLab\Detection.exe"
sh=53548481E606F8FD9207827B84E609E9D636FA5B ft=1 fh=37967b83e5ec2d42 vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\BatchDL.exe"
sh=776B2C1C689FB5762ED4AEEDC03B8AC7F5DAB354 ft=1 fh=7e8da30d49196d8b vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\vstudio.exe"
sh=3A0575F5336C673E0403D1C3FA90150F8451090B ft=1 fh=05cf8019fda39b15 vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\Unity\MonoDevelop\bin\mdhost.exe"
sh=D2408C8A09A2BD9704AF39F818EC7AC9E9CCA46E ft=1 fh=08d2b982dc66508e vn="a variant of Win32/Bunndle potentially unsafe application" ac=I fn="C:\Program Files\uTorrent\uTorrent.exe"
sh=45B3E84E8AD10BEBB0056DE5CC184370F07D074D ft=1 fh=aefc45facf68910d vn="Win32/Virut.NBP virus" ac=I fn="C:\Program Files\WinRAR\UnRAR.exe"
sh=A701671D52AEFE8137EFBB5487303B1774247E24 ft=1 fh=873ff0a80dbe6cc8 vn="a variant of Win32/Bhottle.A trojan" ac=I fn="C:\Qoobox\Quarantine\C\WINDOWS\system32\aaaammon.dll.vir"
sh=A701671D52AEFE8137EFBB5487303B1774247E24 ft=1 fh=873ff0a80dbe6cc8 vn="a variant of Win32/Bhottle.A trojan" ac=I fn="C:\System Volume Information\_restore{E5634189-4418-4D29-8D83-DB334DE06101}\RP1\A0000026.dll"
sh=5FCB5558D3F1B9316248E859CC61F798B19C03AC ft=1 fh=ab1ae51c2a2b6cc2 vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\Installer\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\SkypeIcon.exe"
sh=A701671D52AEFE8137EFBB5487303B1774247E24 ft=1 fh=873ff0a80dbe6cc8 vn="a variant of Win32/Bhottle.A trojan" ac=I fn="C:\WINDOWS\system32\aaaammmon.dll"
sh=20163E3D1AE8A50EA5D4BCCB5613048521F2CFA6 ft=1 fh=85bac5bbd30190b9 vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\logon.scr"
sh=C4019744391F41FB4BABE142A1DFEA073E07E83C ft=1 fh=820f7241ac6826bc vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\napstat.exe"
sh=4657DDF36B73577FDCFD42FB79335B1898F2DD7E ft=1 fh=126159cdac6da95b vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\packager.exe"
sh=E37F815FD031701334868774B583EA3E65C2A11D ft=1 fh=dec152a91962f4a1 vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\rspndr.exe"
sh=F7F5DB5E7A9A320E0A0225C51956AAAD1D43B750 ft=1 fh=ef23a9ce5918d2bd vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\dllcache\alg.exe"
sh=4FC8BFC4894C81B25B3EBC57D263DCBBBF8F03FE ft=1 fh=3d7ca89d19911431 vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\dllcache\mmcperf.exe"
sh=CC2F21BE8E86A796C11D634AFD30259FBF6A3744 ft=1 fh=4cd240dad7a16a29 vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\dllcache\mqsvc.exe"
sh=FA21E716489F6865B16F08FE9AC62921B909C60E ft=1 fh=a7ac06789ba9b832 vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\dllcache\msswchx.exe"
sh=4291C9281AF38BA0566BD967063BDD4985891425 ft=1 fh=12c31016e0ae6b46 vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\DellTPad.exe"
sh=53717F515790C5AD67489BF8342FD393C2E4D745 ft=1 fh=260ad03368b6dece vn="Win32/Virut.NBP virus" ac=I fn="C:\WINDOWS\system32\wbem\wmiapsrv.exe"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/Bunndle potentially unsafe application" ac=I fn="${Memory}"

#6 aharonov


  • Malware Response Team
  • 2,441 posts
  • Gender:Male
  • Local time:09:22 PM

Posted 23 February 2014 - 09:12 AM

But the "good news" is that it seems to be safe to backup personal files (e.g. pictures) and then reformat and reinstall the operating system.

#7 ranfan

  • Topic Starter

  • Members
  • 11 posts
  • Gender:Male
  • Local time:02:22 PM

Posted 23 February 2014 - 10:12 AM

Good to hear. I'll start as soon as I can.

#8 ranfan

  • Topic Starter

  • Members
  • 11 posts
  • Gender:Male
  • Local time:02:22 PM

Posted 27 February 2014 - 06:09 AM

Thank you for your help in solving this issue. Everything's back to normal again

#9 aharonov


  • Malware Response Team
  • 2,441 posts
  • Gender:Male
  • Local time:09:22 PM

Posted 27 February 2014 - 06:38 AM

This is good to hear, thanks for letting me know.

My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!

#10 aharonov


  • Malware Response Team
  • 2,441 posts
  • Gender:Male
  • Local time:09:22 PM

Posted 27 February 2014 - 06:38 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users