ATAPI.SYS Rootkit Virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

neutron411

Thread Starter
Joined
Apr 17, 2010
Messages
4
Please help! This is taking me forever to get rid of! I am quite sure I have gotten a root kit virus in atapi.sys. If I run GMER, I get an "tvtfjc" in the boot. I have been unable to run COMBOFIX--it comes back with a "VIRUT" warning and deletes itself. I am running Window Vista and can only run in safe mode. Here's the HIJACK log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:24 PM, on 4/17/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18385)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: (no name) - {c3e0b935-915a-44a6-aecc-dd3152dfad3e} - gumeyesu.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywaredetector.net/tips_vista.htm
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\program files\malwarebytes' anti-malware\mbam .exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.pearsonsuccessnet.com/snpapp/iText/products/0-13-116327-2/ch4a/ch4a_s2_4.html"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [zabugavehi] Rundll32.exe "faweziju.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: app_dll.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: peresvc Service (peresvc) - lowest systems - C:\Windows\system32\PereSvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8775 bytes
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi,

If you do have virut on your machine then the only solution is a complete reformat and reinstall. Virut is a polymorphic file infector that cannot be cleaned:


Please run the following check to make sure this is what you have.

Note:

If you have used any USB's in this machine, those too, need to be formatted. (any machines that you have used potentially infected USB's in, will need to be checked also)


Please do the following:


  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\windows\system32\userinit.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Please do the same for the following files:
c:\windows\explorer.exe
C:\Windows\system32\DllHost.exe
c:\windows\system32\spoolsv.exe


NEXT


We would be grateful if you could assist us in our research into this infection by providing us with some samples and information from your machine. This will only take a minute or two to complete, and is very simple. If you wish to help us, please do the following:
  • Download VAPrep.bat and save it to your Desktop.
  • Double-click VAPrep.bat to run it. It will only take a moment to complete.
  • When done, please right-click the VAPrep folder which should now be on your Desktop. Select Send To >> Compressed (zipped) Folder.
  • Next, please go to this webpage.
  • Browse to the VAPrep.zip zipped folder you just created.
  • Click Send File.
Once done, you can delete the VAPrep folder and .zip file from you Desktop. Thanks for helping us out.
 

neutron411

Thread Starter
Joined
Apr 17, 2010
Messages
4
I wasn't able to get the userinit.exe file to scan correctly, but the other file scans show multiple instances of some sort of "virut" variant. Based on your previous post, my guess is that I will need to dump windows and start over. Is it okay to save my data files and music? (BTW, I think a music download is where the virus started.)

Also, I tried the run the VAPrep batch file. A DOS-type window pops up quickly, then nothing happens--it does not leave a file on the desktop. This is a really nasty virus.


VirSCAN.org Scanned Report :
Scanned time : 2010/04/19 07:02:41 (CST)
Scanner results: 50% Scanner(s) (18/36) found malware!
File Name : explorer.exe
File Size : 2951680 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7e4b72a635862f8ffb1ad5439337a26b
SHA1 : 25af99eb4418a98eb6570a856d06ec363b98295d
Online report : http://virscan.org/report/028e52f7dd9e1320cbeb9ad08a72e19c.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100419011346 2010-04-19 4.95 -
AhnLab V3 2010.04.18.01 2010.04.18 2010-04-18 1.13 -
AntiVir 8.2.1.220 7.10.6.116 2010-04-18 0.26 W32/Virut.Gen
Antiy 2.0.18 20100416.4196309 2010-04-16 0.12 -
Arcavir 2009 201004180324 2010-04-18 0.15 -
Authentium 5.1.1 201004161205 2010-04-16 1.80 -
AVAST! 4.7.4 100418-1 2010-04-18 0.12 Win32:Vitro
AVG 8.5.720 271.1.1/2819 2010-04-19 1.15 Win32/DH.AA54534F48suspicion
BitDefender 7.81008.5680072 7.31274 2010-04-19 3.59 Win32.Virtob.Gen.12
ClamAV 0.95.3 10755 2010-04-17 0.35 -
Comodo 3.13.579 4640 2010-04-19 1.04 Virus.Win32.Virut.Ce
CP Secure 1.3.0.5 2010.04.19 2010-04-19 0.48 -
Dr.Web 5.0.2.3300 2010.04.19 2010-04-19 6.55 Win32.Virut.56
F-Prot 4.4.4.56 20100418 2010-04-18 1.75 -
F-Secure 7.02.73807 2010.04.18.05 2010-04-18 10.79 Virus.Win32.Virut.ce [AVP]
Fortinet 4.0.14 11.702 2010-04-15 0.38 -
GData 19.11029/19.894 20100418 2010-04-18 6.71 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20100417 2010.04.17 2010-04-17 0.41 -
Ikarus T3.1.01.80 2010.04.18.75657 2010-04-18 5.90 -
JiangMin 13.0.900 2010.04.18 2010-04-18 1.24 -
Kaspersky 5.5.10 2010.04.18 2010-04-18 0.13 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2010.4.18.22 2010-04-18 0.70 -
McAfee 5400.1158 5952 2010-04-15 0.02 -
Microsoft 1.5605 2010.04.18 2010-04-18 7.89 Virus:Win32/Virut.BN
Norman 6.04.11 6.04.00 2010-04-16 6.01 W32/Virut.GE
Panda 9.05.01 2010.04.18 2010-04-18 1.93 W32/Sality.AO
Trend Micro 9.120-1004 7.110.12 2010-04-18 0.00 -
Quick Heal 10.00 2010.04.17 2010-04-17 2.41 W32.Virut.G
Rising 20.0 22.43.06.01 2010-04-18 1.62 Win32.Virut.cl
Sophos 3.06.0 4.52 2010-04-19 3.48 W32/Scribble-B
Sunbelt 3.9.2418.2 6193 2010-04-18 4.97 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20100418.002 2010-04-18 0.12 W32.Virut.CF
nProtect 20100417.01 8007176 2010-04-17 7.68 -
The Hacker 6.5.2.0 v00264 2010-04-18 0.61 -
VBA32 3.12.12.4 20100416.2057 2010-04-16 2.91 -
VirusBuster 4.5.11.10 10.124.17/2029311 2010-04-18 3.92 Win32.Virut.AB.Gen

VirSCAN.org Scanned Report :
Scanned time : 2010/04/19 07:09:23 (CST)
Scanner results: 50% Scanner(s) (18/36) found malware!
File Name : dllhost.exe
File Size : 31744 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 9e85247a9c10e3a30d94bd87ecf5e7f0
SHA1 : 98db08aa98905f21072c5383eb9e03d9725b3f98
Online report : http://virscan.org/report/ae9ed142819b57cb8600d115cb81471a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100419011346 2010-04-19 4.64 -
AhnLab V3 2010.04.18.01 2010.04.18 2010-04-18 1.09 -
AntiVir 8.2.1.220 7.10.6.116 2010-04-18 0.26 W32/Virut.Gen
Antiy 2.0.18 20100416.4196309 2010-04-16 0.12 -
Arcavir 2009 201004180324 2010-04-18 0.10 -
Authentium 5.1.1 201004161205 2010-04-16 1.74 -
AVAST! 4.7.4 100418-1 2010-04-18 0.01 Win32:Vitro
AVG 8.5.720 271.1.1/2819 2010-04-19 1.15 Win32/DH.AA54534F48suspicion
BitDefender 7.81008.5680072 7.31274 2010-04-19 3.58 Win32.Virtob.Gen.12
ClamAV 0.95.3 10755 2010-04-17 0.01 -
Comodo 3.13.579 4640 2010-04-19 0.90 Virus.Win32.Virut.Ce
CP Secure 1.3.0.5 2010.04.19 2010-04-19 0.05 -
Dr.Web 5.0.2.3300 2010.04.19 2010-04-19 6.57 Win32.Virut.56
F-Prot 4.4.4.56 20100418 2010-04-18 1.69 -
F-Secure 7.02.73807 2010.04.18.05 2010-04-18 0.18 Virus.Win32.Virut.ce [AVP]
Fortinet 4.0.14 11.702 2010-04-15 0.19 -
GData 19.11029/19.894 20100418 2010-04-18 6.87 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20100417 2010.04.17 2010-04-17 0.43 -
Ikarus T3.1.01.80 2010.04.18.75657 2010-04-18 5.71 -
JiangMin 13.0.900 2010.04.18 2010-04-18 1.21 -
Kaspersky 5.5.10 2010.04.18 2010-04-18 0.12 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2010.4.18.22 2010-04-18 0.67 -
McAfee 5400.1158 5952 2010-04-15 0.02 -
Microsoft 1.5605 2010.04.18 2010-04-18 7.87 Virus:Win32/Virut.BN
Norman 6.04.11 6.04.00 2010-04-16 6.01 W32/Virut.GE
Panda 9.05.01 2010.04.18 2010-04-18 1.82 W32/Sality.AO
Trend Micro 9.120-1004 7.110.12 2010-04-18 0.00 -
Quick Heal 10.00 2010.04.17 2010-04-17 1.56 W32.Virut.G
Rising 20.0 22.43.06.01 2010-04-18 1.30 Win32.Virut.cl
Sophos 3.06.0 4.52 2010-04-19 3.68 W32/Scribble-B
Sunbelt 3.9.2418.2 6193 2010-04-18 5.09 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20100418.002 2010-04-18 0.05 W32.Virut.CF
nProtect 20100417.01 8007176 2010-04-17 7.53 -
The Hacker 6.5.2.0 v00264 2010-04-18 0.55 -
VBA32 3.12.12.4 20100416.2057 2010-04-16 3.49 -
VirusBuster 4.5.11.10 10.124.17/2029311 2010-04-18 2.54 Win32.Virut.AB.Gen

VirSCAN.org Scanned Report :
Scanned time : 2010/04/19 07:12:49 (CST)
Scanner results: 69% Scanner(s) (25/36) found malware!
File Name : spoolsv.exe
File Size : 150528 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d88f0a5ebae18af18bffa8f03772e783
SHA1 : 780b8e91ad620f9cdfba216a0baa77ea6cdccef8
Online report : http://virscan.org/report/01b2d207c620144a8949263be0c9798f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100419011346 2010-04-19 4.71 W32.Virut!IK
AhnLab V3 2010.04.18.01 2010.04.18 2010-04-18 1.13 Win32/Virut.F
AntiVir 8.2.1.220 7.10.6.116 2010-04-18 0.29 W32/Virut.Gen
Antiy 2.0.18 20100416.4196309 2010-04-16 0.12 -
Arcavir 2009 201004180324 2010-04-18 0.05 -
Authentium 5.1.1 201004161205 2010-04-16 1.32 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 100418-1 2010-04-18 0.01 Win32:Vitro
AVG 8.5.720 271.1.1/2819 2010-04-19 1.20 Win32/DH.AA54534F48suspicion
BitDefender 7.81008.5680072 7.31274 2010-04-19 3.58 Win32.Virtob.Gen.12
ClamAV 0.95.3 10755 2010-04-17 0.04 -
Comodo 3.13.579 4640 2010-04-19 0.90 Virus.Win32.Virut.Ce
CP Secure 1.3.0.5 2010.04.19 2010-04-19 0.07 -
Dr.Web 5.0.2.3300 2010.04.19 2010-04-19 6.67 Win32.Virut.56
F-Prot 4.4.4.56 20100418 2010-04-18 1.29 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2010.04.18.05 2010-04-18 0.20 Virus.Win32.Virut.ce [AVP]
Fortinet 4.0.14 11.702 2010-04-15 0.23 -
GData 19.11029/19.894 20100418 2010-04-18 6.74 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20100417 2010.04.17 2010-04-17 0.41 -
Ikarus T3.1.01.80 2010.04.18.75657 2010-04-18 5.73 W32.Virut
JiangMin 13.0.900 2010.04.18 2010-04-18 1.19 Win32/Virut.bn
Kaspersky 5.5.10 2010.04.18 2010-04-18 0.12 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2010.4.18.22 2010-04-18 0.65 Win32.Virut.cr.61440
McAfee 5400.1158 5952 2010-04-15 0.02 -
Microsoft 1.5605 2010.04.18 2010-04-18 7.98 Virus:Win32/Virut.BN
Norman 6.04.11 6.04.00 2010-04-16 6.01 W32/Virut.GE
Panda 9.05.01 2010.04.18 2010-04-18 1.71 W32/Sality.AO
Trend Micro 9.120-1004 7.110.12 2010-04-18 0.00 -
Quick Heal 10.00 2010.04.17 2010-04-17 1.55 W32.Virut.G
Rising 20.0 22.43.06.01 2010-04-18 1.30 Win32.Virut.cl
Sophos 3.06.0 4.52 2010-04-19 3.47 W32/Scribble-B
Sunbelt 3.9.2418.2 6193 2010-04-18 5.88 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20100418.002 2010-04-18 0.05 W32.Virut.CF
nProtect 20100417.01 8007176 2010-04-17 7.59 -
The Hacker 6.5.2.0 v00264 2010-04-18 0.48 -
VBA32 3.12.12.4 20100416.2057 2010-04-16 2.82 -
VirusBuster 4.5.11.10 10.124.17/2029311 2010-04-18 3.33 Win32.Virut.AB.Gen
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Not good news unfortunately, this is the information I have on this infection


VIRUT FILE INFECTOR


VIRUT
is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously.

Unfortunately, the cleaning of this virus is not possible.

The only thing we recommend is to do a full reformat and install.

We have an excellent tutorial on how to reformat here

and for a Vista reformat re-install HERE

We do not recommend trying to save any files from this machine as they could all be infected and will simply re-infect your system again, there is no way of being certain what this infection can do.

It may be possible to save documents, pictures and music files, but I cannot guarantee that they won't be infected.

You could try scanning those files with an online scanner such as Kaspersky:

Only scan the files, not the whole computer or you will be there forever.

Read more about the VIRUT FILE INFECTOR HERE

If you don't have a Windows Installation Disk (if this came with Windows pre-installed), you may have a Manufacturer restore disk to restore the computer to its original state - this depends on the Manufacturer though. Otherwise, give the Manufacturer a call and ask them to send you a restore disk or Windows installation CD.

Should you have any questions, please feel free to ask.

I am sorry there is nothing more that we can do.


More information:

http://free.avg.com/66558
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034
W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes
, a highly regarded expert in malware removal, and an MS-MVP,
has an extremely informative blog post about Virut. - she only ever recommends a total reformat.

At least this way, you have the best chance of having a clean machine once more.

For future protection read this very well written article Think Prevention.
 

neutron411

Thread Starter
Joined
Apr 17, 2010
Messages
4
CatByte,
I had to reformat the hard drive and reload Vista, but it looks like I'm back in business. Thank you so much for your help--its really nice that you volunteer to help out to try to end some of these really destructive viruses. If you're ever looking for a job in Colorado, let me know!
Thanks again,
Neutron
 

neutron411

Thread Starter
Joined
Apr 17, 2010
Messages
4
PS I was able to save all of my pictures/music/documents without re-infecting the computer, so all it really cost me was time (lots of it!).
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Glad to hear things worked out well for you.

Stay safe

~CB

ps..Colorado is a great place :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top