Solved: Virus or adware, hijack this log

midsofo · 05-Nov-2009, 11:10 AM #1

I have something attacking my son's computer. It will not allow me to run an online scan without interrupting the internet and creating a problem and closing. It has also removed this IE icon. I can retrieve it though. This operating system is XP. Here is the HijackThis log. Thanks for your help.

Logfile of HijackThis v1.97.7
Scan saved at 8:48:28 AM, on 11/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\29084334.exe
C:\WINDOWS\TEMP\934640629.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\1836640649.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\TEMP\2739382817.exe
C:\WINDOWS\TEMP\3641996843.exe
C:\WINDOWS\TEMP\4544837511.exe
C:\WINDOWS\TEMP\4546912532.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\TEMP\5447714040.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\lsm32.sys
C:\Documents and Settings\Brent Powell\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://join.clonecashsystem.com/trac...UuMC4wLjAuMC4w
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F1 - win.ini: load=C:\WINDOWS\fonts\services.exe
F1 - win.ini: run=C:\WINDOWS\fonts\services.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Brent Powell\Application Data\Mozilla\Profiles\default\1j1jfv83.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [msnmager] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\TEMP\decbah.dll,Set1
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_ONLY next
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopRock] C:\DOCUME~1\BRENTP~1\LOCALS~1\Temp\a.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8942.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/downlo...-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab

midsofo · 05-Nov-2009, 11:58 PM #2

It is also killing Malwarebytes' Anti-Malware before it can scan.

NeonFx · 06-Nov-2009, 01:24 AM #3

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

midsofo · 06-Nov-2009, 11:29 AM #4

I tried to run IE, but will not load a page. I then used a thumb drive to save the two to scan programs from a differest computer. I attempted to open the drive via "my computer", would not work. I opened the program by going into microsoft word. It opened and I began the scan, the scan shut down after it was running for about 45 sec.

NeonFx · 06-Nov-2009, 03:05 PM #5

Alright. Let's try to run the following two programs instead to see what we're dealing with. You're doing good by getting them to run.

Other ways you can run "My Computer" are holding down your Windows Key (looks like a flag) and press the "E" key. This will open explorer.

You can also hold down Ctrl+Alt+Del (or Ctrl+Shift+Esc) to open the task manager. You can then click on File > New Task... or click on the New Task Button to open a Run dialog (you can also open a run Dialog by holding down your "Windows Flag Key" and pressing "R") and then type in explorer.exe (You can type anything in here. If you want to run OTS.exe from you flashdrive for example you would use X:\OTS.exe where X is your flash drive's letter)

STEP 1

Please download Win32Diag from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
A black command prompt window shall appear.
It will now begin to scan. This may take a while, please be paitent until the scan is complete.
Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
A log file called Win32KDiag.txt will be created on your desktop.
Please copy and paste the contents of that log file here in your next reply.

STEP 2

Download the GMER Rootkit Scanner.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

midsofo · 07-Nov-2009, 08:07 PM #6

OK Here ya go.

NeonFx · 07-Nov-2009, 09:33 PM #7

Alright I can see it now, let's do the following:

STEP 1

Please delete your version of Win32kDiag.exe (along with the old Win32kDiag.txt file that was created) and redownload it from HERE

Make sure win32kdiag.exe is on your Desktop. Click on Start -> Run , and copy-paste the following command (the bolded text) into the "Open" box, and click OK. (If you use Vista just paste it into the text box that apears next to your start button)

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

STEP 2

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

midsofo · 08-Nov-2009, 04:55 PM #8

I ran the Win32kDiag on the computer, the log is attached. The Combo Fix will not run. It directs me to download from: http://download.bleepingcomputer.com...o-use-combofix (which seems to be a dead link). I downloaded from your other link and same result. Here is the message it gives me after trying to run:
!!ALERT!! It is NOT safe to continue. The contents of the ComboFix package has been compromised. Please download a fresh copy from http://download.bleepingcomputer.com/sUBs/ComboFix/how-to-use-combofix
Note: You may be infected with a patching virus 'virut'

Nice bug I seem to have!

NeonFx · 08-Nov-2009, 05:20 PM #9

You didn't seem to run Win32kdiag.txt properly. I need you to run the following command including the -f and -r after it, not double clicking on the icon. You need to copy and paste the following into a run dialog:

"%userprofile%\desktop\win32kdiag.exe" -f -r

Try doing that, and then try running ComboFix again. You might have to delete your copy and redownload it.

midsofo · 08-Nov-2009, 11:26 PM **#10**

Sorry about the wrong file. here is the new low run with the cut & paste directions. Computer will download ComboFix but will not run. Gives same ALERT message as earlier post and deletes program immediately after acknowledging the alert...? Is this something I am doing?

NeonFx · 08-Nov-2009, 11:31 PM **#11**

No, if you're still getting that error message after doing that then it's even more likely you have been infected by something like Virut.

Let's scan a couple files to confirm it:

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

c:\windows\system32\userinit.exe
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Please do the same thing for the following:

c:\windows\system32\svchost.exe
c:\windows\explorer.exe
c:\windows\system32\spoolsv.exe

midsofo · 08-Nov-2009, 11:57 PM **#12**

Here you go, Virut everywhere!
userinit log:

VirSCAN.org Scanned Report :
Scanned time : 2009/11/08 21:26:59 (CST)
Scanner results: 54% Scanner(s) (20/37) found malware!
File Name : userinit.exe
File Size : 46080 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 9e8e0c31457b19c79ed2e0251a7c5f45
SHA1 : 20099fa5e65b9ce5ac4bc7eb29a1c514fda45d87
Online report : http://virscan.org/report/433f0e558a...86b54a0d0.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091108053125 2009-11-08 4.14 Gen.Malware!IK
AhnLab V3 2009.11.07.00 2009.11.07 2009-11-07 1.01 Win32/Virut.E
AntiVir 8.2.1.61 7.1.6.204 2009-11-08 0.12 W32/Virut.Gen
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911070243 2009-11-07 0.05 -
Authentium 5.1.1 200911081739 2009-11-08 1.21 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091108-1 2009-11-08 0.01 -
AVG 8.5.288 270.14.55/2490 2009-11-09 1.60 -
BitDefender 7.81008.4482434 7.28827 2009-11-09 3.89 -
CA (VET) 35.1.0 7107 2009-11-05 6.13 -
ClamAV 0.95.2 10000 2009-11-08 0.01 -
Comodo 3.12 2890 2009-11-08 0.72 -
CP Secure 1.3.0.5 2009.11.09 2009-11-09 0.06 -
Dr.Web 4.44.0.9170 2009.11.08 2009-11-08 6.45 Win32.Virut.56
F-Prot 4.4.4.56 20091108 2009-11-08 1.20 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.09.02 2009-11-09 0.09 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 11.39 2009-11-08 0.19 -
GData 19.8777/19.546 20091109 2009-11-09 6.13 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091106 2009.11.06 2009-11-06 0.43 -
Ikarus T3.1.01.74 2009.11.09.74488 2009-11-09 4.04 Gen.Malware
JiangMin 11.0.800 2009.11.08 2009-11-08 4.36 Win32/Virut.bq
Kaspersky 5.5.10 2009.11.09 2009-11-09 0.06 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.8.15 2009-11-08 0.51 Win32.Virut.cr.61440
McAfee 5.3.00 5796 2009-11-08 3.44 W32/Virut.n.gen
Microsoft 1.5202 2009.11.08 2009-11-08 6.70 Virus:Win32/Virut.gen!O
Norman 6.01.09 6.01.00 2009-11-06 4.01 -
Panda 9.05.01 2009.11.08 2009-11-08 1.83 -
Trend Micro 8.700-1004 6.612.07 2009-11-08 0.05 PE_VIRUX.GEN-2
Quick Heal 10.00 2009.11.07 2009-11-07 1.21 W32.Virut.G
Rising 20.0 21.55.00.00 2009-11-09 0.96 Win32.Virut.cl
Sophos 3.00.1 4.46 2009-11-09 2.97 -
Sunbelt 5498 5498 2009-11-08 1.74 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091108.002 2009-11-08 0.09 W32.Virut.CF
nProtect 20091108.01 6121832 2009-11-08 7.46 Trojan/W32.Agent2.46080.D
The Hacker 6.5.0.2 v00063 2009-11-06 0.71 -
VBA32 3.12.10.11 20091108.2047 2009-11-08 2.00 -
VirusBuster 4.5.11.10 10.113.11/2003707 2009-11-09 3.16 -

svchost.exe log: Nothing found

explorer.exe:

VirSCAN.org Scanned Report :
Scanned time : 2009/11/08 21:37:20 (CST)
Scanner results: 51% Scanner(s) (19/37) found malware!
File Name : explorer.exe
File Size : 1053696 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e3a56ffec2f92ca037a98145b5c607cd
SHA1 : 91759e30451dc991c22d64bd36eddcd317d470e5
Online report : http://virscan.org/report/4afcb85bed...18c3e8af3.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091108053125 2009-11-08 4.03 Trojan.Win32.Patched!IK
AhnLab V3 2009.11.07.00 2009.11.07 2009-11-07 0.92 Win32/Virut.E
AntiVir 8.2.1.61 7.1.6.204 2009-11-08 0.07 W32/Virut.Gen
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911070243 2009-11-07 0.09 -
Authentium 5.1.1 200911081739 2009-11-08 1.28 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091108-1 2009-11-08 0.05 -
AVG 8.5.288 270.14.55/2490 2009-11-09 1.42 -
BitDefender 7.81008.4482434 7.28827 2009-11-09 3.97 -
CA (VET) 35.1.0 7107 2009-11-05 5.17 -
ClamAV 0.95.2 10000 2009-11-08 0.17 -
Comodo 3.12 2890 2009-11-08 1.20 -
CP Secure 1.3.0.5 2009.11.09 2009-11-09 0.41 -
Dr.Web 4.44.0.9170 2009.11.08 2009-11-08 6.47 Win32.Virut.56
F-Prot 4.4.4.56 20091108 2009-11-08 1.26 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.09.02 2009-11-09 0.17 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 11.39 2009-11-08 0.27 -
GData 19.8777/19.546 20091109 2009-11-09 5.49 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091106 2009.11.06 2009-11-06 0.42 -
Ikarus T3.1.01.74 2009.11.09.74488 2009-11-09 4.09 Trojan.Win32.Patched
JiangMin 11.0.800 2009.11.08 2009-11-08 4.05 Win32/Virut.bq
Kaspersky 5.5.10 2009.11.09 2009-11-09 0.07 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.8.15 2009-11-08 0.52 Win32.Virut.cr.61440
McAfee 5.3.00 5796 2009-11-08 3.47 W32/Virut.n.gen
Microsoft 1.5202 2009.11.08 2009-11-08 7.28 Virus:Win32/Virut.gen!O
Norman 6.01.09 6.01.00 2009-11-06 4.01 -
Panda 9.05.01 2009.11.08 2009-11-08 3.61 -
Trend Micro 8.700-1004 6.612.07 2009-11-08 0.10 PE_VIRUX.GEN-2
Quick Heal 10.00 2009.11.07 2009-11-07 1.55 W32.Virut.G
Rising 20.0 21.55.00.00 2009-11-09 1.22 Win32.Virut.cl
Sophos 3.00.1 4.46 2009-11-09 3.03 -
Sunbelt 5498 5498 2009-11-08 2.19 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091108.002 2009-11-08 0.09 W32.Virut.CF
nProtect 20091108.01 6121832 2009-11-08 8.93 -
The Hacker 6.5.0.2 v00063 2009-11-06 0.74 -
VBA32 3.12.10.11 20091108.2047 2009-11-08 2.10 -
VirusBuster 4.5.11.10 10.113.11/2003707 2009-11-09 3.60 -

spoolsv.exe log:

VirSCAN.org Scanned Report :
Scanned time : 2009/11/08 21:40:18 (CST)
Scanner results: 49% Scanner(s) (18/37) found malware!
File Name : spoolsv.exe
File Size : 77824 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d1e73dff7192d7a12b9e729fd7248c0c
SHA1 : a60f1ee22051ed92835907ce40b08016c501705f
Online report : http://virscan.org/report/0575e7fd3e...88cad0a4d.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091108053125 2009-11-08 3.96 -
AhnLab V3 2009.11.07.00 2009.11.07 2009-11-07 0.92 Win32/Virut.E
AntiVir 8.2.1.61 7.1.6.204 2009-11-08 0.12 W32/Virut.Gen
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911070243 2009-11-07 0.06 -
Authentium 5.1.1 200911081739 2009-11-08 1.23 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091108-1 2009-11-08 0.01 -
AVG 8.5.288 270.14.55/2490 2009-11-09 1.61 -
BitDefender 7.81008.4482434 7.28827 2009-11-09 3.91 -
CA (VET) 35.1.0 7107 2009-11-05 6.39 -
ClamAV 0.95.2 10000 2009-11-08 0.02 -
Comodo 3.12 2890 2009-11-08 0.73 -
CP Secure 1.3.0.5 2009.11.09 2009-11-09 0.06 -
Dr.Web 4.44.0.9170 2009.11.08 2009-11-08 6.62 Win32.Virut.56
F-Prot 4.4.4.56 20091108 2009-11-08 1.25 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.09.02 2009-11-09 0.10 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 11.39 2009-11-08 0.25 -
GData 19.8777/19.546 20091109 2009-11-09 4.68 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091106 2009.11.06 2009-11-06 0.44 -
Ikarus T3.1.01.74 2009.11.09.74488 2009-11-09 4.11 -
JiangMin 11.0.800 2009.11.08 2009-11-08 8.87 Win32/Virut.bq
Kaspersky 5.5.10 2009.11.09 2009-11-09 0.06 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.8.15 2009-11-08 0.57 Win32.Virut.cr.61440
McAfee 5.3.00 5796 2009-11-08 3.48 W32/Virut.n.gen
Microsoft 1.5202 2009.11.08 2009-11-08 8.24 Virus:Win32/Virut.gen!O
Norman 6.01.09 6.01.00 2009-11-06 2.01 -
Panda 9.05.01 2009.11.08 2009-11-08 2.00 Suspicious file
Trend Micro 8.700-1004 6.612.07 2009-11-08 0.07 Cryp_Xed-21
Quick Heal 10.00 2009.11.07 2009-11-07 1.34 W32.Virut.G
Rising 20.0 21.55.00.00 2009-11-09 0.99 Win32.Virut.cl
Sophos 3.00.1 4.46 2009-11-09 2.99 -
Sunbelt 5498 5498 2009-11-08 2.73 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091108.002 2009-11-08 0.06 W32.Virut.CF
nProtect 20091108.01 6121832 2009-11-08 9.20 -
The Hacker 6.5.0.2 v00063 2009-11-06 0.73 -
VBA32 3.12.10.11 20091108.2047 2009-11-08 2.03 -
VirusBuster 4.5.11.10 10.113.11/2003707 2009-11-09 3.24 -

NeonFx · 09-Nov-2009, 12:03 AM **#13**

Virut is not disinfectable. Your only option is to perform a full reformat

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

Miekiemoes, is an expert in malware removal, an MS-MVP, she has a blog post about Virut. If you would like more information.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Note: If you have to backup files, do so only for MS Office documents & any non executable file. You should know though that these have been found to be infected by virut as well. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It will be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this websites and read for instructions how to format and reinstall Windows:

http://web.mit.edu/ist/products/winxp/adva...all-format.html

http://www.windowsreinstall.com/

Sorry for the bad news...

midsofo · 09-Nov-2009, 12:10 AM **#14**

Well #@$%!! Thanks for all your help! Guess we(I) will get started on that. Is this something I can look out for later?

NeonFx · 09-Nov-2009, 12:24 AM **#15**

I'd be glad to check your computer out and give you some more advice once you're done.

To start off though, once you reformat make sure you install a good AntiVirus program. This is to both ensure you are clean if you backup some files, and so that you stay clean.

Please select one of the following free security programs and install it after you reformat and reinstall Windows: AVG, Avast , AntiVir , Comodo

Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!