Hi

Is it not there?

Nope, are you using an older version (or am I) or something? It don't say anything about a "Rootkit".

Hi

Sorry about that, the author seems to have changed interfaces. Just make the rest of the settings as posted and run the scan.

Thanks

I waited for about an hour (about 3 or 4 times) for that program but it freezes on "loading drive info". So, I don't think that's going to work... Sorry about this

Hi Rhineus,


No problem, we have other tools.

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach virusinfo_syscheck.zip to your next reply,

To attach a file

• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Thanks

Sorry, but that wont even load... I can't get my task manager to open again either, so I can close it, I'm using the portable version of AnVir Task Manager that I have previously downloaded. In AnVir Task Manager, I tried to open avz4 and it showed it in the program (and it closes a few seconds after that) and it also showed the same thing but with a ', like avz.exe' (it's a hidden file and notice the ' at the end) In the AnVir Task Manager, it shows a whole bunch of ?, like "???????????? ??????? AVZ by ??????????? ???????????, 2007-2009". I about forgot, I have a portable version of AVZ Antiviral Toolkit but the computer wont let me run that either *SIGH* I don't get why the computer wont let me run it.

It's been making a hidden file, with ' at the end every since yesterday. Sorry, to make you go through all this...

This post has been edited by Rhineus: Nov 4 2009, 11:42 PM

Hi Rhineus,

Bear with me while I dig into this a bit more.

Thanks

Hello oldman,

I get an explorer error (saying, Invalid picture) and some error saying (Unexpected error; quitting) and a error saying that my spyware guard "component 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: a file is missing or invalid", and it closes. I wouldn't even doing nothing at the time either. It just started today.

This post has been edited by Rhineus: Nov 5 2009, 06:18 PM

Hi Rhineus,
Let's see if this will show anything. We need a log of some kind.

• Right click the attached file silentrunners.zip
• Select Save target as
• Set the Save in box to Desktop

 Silent_Runners.zip ( 84K ) Number of downloads: 5

• Extract the file to your desktop
• Locate silentrunners.vbs it will have an icon like this
• Run Silent Runner's by double-clicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Please be patient and wait for the All Done! message.

Please locate on your Desktop a fle named Startup Programs (computername) date.txt and post it's contents in your next reply

Thanks

Ok, here you go...

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"RoboForm" = ""C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"" ["Siber Systems"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe"" [null data]
"COMODO Internet Security" = ""C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h" ["COMODO"]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"VTTimer" = "VTTimer.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Explorer" = "c:\windows\system32\explorer.exe RO" [null data]
"Svchost" = "c:\windows\svchost.exe RO" [null data]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\(Default) = (no title provided)
\StubPath = "C:\Documents and Settings\Home\Local Settings\Application Data\mrsys.exe MR" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = "RoboForm"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems Inc."]
{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FDMIECookiesBHO Class"
\InProcServer32\(Default) = "C:\Program Files\Free Download Manager\iefdm2.dll" [null data]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java™ Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{4255A182-CAD9-4214-A19B-7BA7FB633BBD}" = "Comodo Antivirus"
-> {HKLM...CLSID} = "Comodo AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "j:\portableapps\winrar 4.00 portable\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Shell" = "C:\WINDOWS\explorer.exe c:\windows\system32\explorer.exe" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Comodo Antivirus\(Default) = "{4255A182-CAD9-4214-A19B-7BA7FB633BBD}"
-> {HKLM...CLSID} = "Comodo AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "j:\portableapps\winrar 4.00 portable\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "j:\portableapps\winrar 4.00 portable\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Comodo Antivirus\(Default) = "{4255A182-CAD9-4214-A19B-7BA7FB633BBD}"
-> {HKLM...CLSID} = "Comodo AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll" [null data]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "j:\portableapps\winrar 4.00 portable\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

GOMPlayDVDOnArrival\
"Provider" = "GOM Player"
"InvokeProgID" = "GomPlayer.DVD"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\GomPlayer.DVD\shell\open\command\(Default) = ""C:\Program Files\GRETECH\GomPlayer\GOM.exe" /open "%1"" ["Gretech Corp."]

GOMPlayMediaOnArrival\
"Provider" = "GOM Player"
"InvokeProgID" = "GomPlayer.MediaFile"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\GomPlayer.MediaFile\shell\open\command\(Default) = ""C:\Program Files\GRETECH\GomPlayer\GOM.exe" /open "%1"" ["Gretech Corp."]
HKLM\SOFTWARE\Classes\GomPlayer.MediaFile\shell\open\DropTarget\CLSID = "{D0F0AD6B-ECCC-401E-8E71-C4363D41399C}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\PROGRA~1\GRETECH\GOMPLA~1\GOM.exe" ["Gretech Corp."]


Startup items in "Home" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Home\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"At1" -> launches: "c:\windows\svchost.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{724D43A0-0D85-11D4-9908-00400523E39A}" = (no title provided)
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{320AF880-6646-11D3-ABEE-C5DBF3571F46}\
"ButtonText" = "Fill Forms"
"MenuText" = "Fill Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F49}\
"ButtonText" = "Save"
"MenuText" = "Save Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found]

{724D43AA-0D85-11D4-9908-00400523E39A}\
"ButtonText" = "RoboForm"
"MenuText" = "RoboForm Toolbar"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

COMODO Internet Security Helper Service, cmdAgent, ""C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"" ["COMODO"]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Windows Spool Services, WinSpoolSvc, ""C:\WINDOWS\system32\csrsc.exe"" [null data]


---------- (launch time: 2009-11-05 23:23:40)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 73 seconds, including 18 seconds for message boxes)

Hi

We need some file informantion

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path, one at a time if more than file is listed, into the "Suspicious files to scan" box on the top of the page:
  
  C:\WINDOWS\system32\csrsc.exe
  c:\windows\system32\userinit.exe
  c:\windows\system32\svchost.exe
  c:\windows\explorer.exe
  c:\windows\system32\ctfmon.exe
  c:\windows\system32\spoolsv.exe
  
• Click on the Upload button
• Please ensure the scan is complete and the results saved before submitting the next.
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Thanks

Hello,

I couldn't click browse cause IE would freeze so I had to do it manually by copying its location... When I browse anything on my computer, the program freezes for some reason... I guess it has something to do with all these virus'. My task manager opens again, I guess it runs when it wants to... lol

Sorry about the lining of the text, everything looked good in notepad but totally notgood up when I pasted the clipboard in here... I hope you can read it

VirSCAN.org Scanned Report :
Scanned time : 2009/11/06 23:10:04 (CST)
Scanner results: 97% Scanner(s) (36/37) found malware!
File Name : csrsc.exe
File Size : 39424 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : bcfa10a04c1bcaeb63e9bf84a1a317d7
SHA1 : 0e261ee77add4fdfaa31a46dfcf62079535483d5
Online report : http://virscan.org/report/c497b936e10b5372...c29afead61.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091106050124 2009-11-06 4.74 Worm.Win32.Neeris!IK
AhnLab V3 2009.11.06.04 2009.11.06 2009-11-06 1.37 Win32/Virut.B
AntiVir 8.2.1.59 7.1.6.200 2009-11-06 0.32 W32/Virut.AX
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911060304 2009-11-06 0.03 W32.Virut.Av
Authentium 5.1.1 200911061152 2009-11-06 1.19 W32/Virut.7116 (Possible)
AVAST! 4.7.4 091106-0 2009-11-06 0.01 Win32:Neeris-B [Wrm]
AVG 8.5.288 270.14.52/2484 2009-11-06 0.33 Win32/Virut
BitDefender 7.81008.4481961 7.28774 2009-11-06 3.95 Win32.Virtob.8.Gen
CA (VET) 35.1.0 7105 2009-11-04 11.44 Win32/Virut.7115 virus.
ClamAV 0.95.2 9995 2009-11-06 0.01 W32.Virut-54
Comodo 3.12 2860 2009-11-06 0.76 Virus.Win32.Virut.AV
CP Secure 1.3.0.5 2009.11.06 2009-11-06 0.07 W32.Virut.av
Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.55 BackDoor.IRC.Sdbot.4538
F-Prot 4.4.4.56 20091106 2009-11-06 1.23 W32/Backdoor2.DSTK (exact)
F-Secure 7.02.73807 2009.11.06.06 2009-11-06 0.05 Backdoor:W32/SdBot.CNG [FSE]
Fortinet 2.81-3.120 11.28 2009-11-06 0.19 W32/Virut.AV
GData 19.8743/19.541 20091106 2009-11-06 7.04 Virus.Win32.Virut.av [Engine:A]
ViRobot 20091106 2009.11.06 2009-11-06 0.59 Win32.Virut.S
Ikarus T3.1.01.74 2009.11.06.74464 2009-11-06 3.98 Worm.Win32.Neeris
JiangMin 11.0.800 2009.11.06 2009-11-06 6.35 Win32/Virut.af
Kaspersky 5.5.10 2009.11.06 2009-11-06 0.07 Virus.Win32.Virut.av
KingSoft 2009.2.5.15 2009.11.6.13 2009-11-06 0.51 Win32.Virutab.ak.7680
McAfee 5.3.00 5793 2009-11-05 3.73 W32/Virut.gen.a
Microsoft 1.5202 2009.11.06 2009-11-06 7.62 Worm:Win32/Neeris.AN
Norman 6.01.09 6.01.00 2009-11-06 4.00 W32/Virut.AG
Panda 9.05.01 2009.11.05 2009-11-05 2.83 W32/Virutas.FG
Trend Micro 8.700-1004 6.608.03 2009-11-06 0.02 PE_VIRUT.AV
Quick Heal 10.00 2009.11.06 2009-11-06 1.25 W32.Virut.Z
Rising 20.0 21.54.44.00 2009-11-06 1.34 Win32.Virut.an
Sophos 3.00.1 4.46 2009-11-06 2.96 W32/Virut-W
Sunbelt 5491 5491 2009-11-05 1.99 Virus.Win32.Virut.a (v)
Symantec 1.3.0.24 20091105.003 2009-11-05 0.15 Backdoor.Sdbot
nProtect 20091106.02 6111738 2009-11-06 8.77 Virus/W32.Virut.K
The Hacker 6.5.0.2 v00062 2009-11-05 0.78 W32/Virut.av
VBA32 3.12.10.11 20091105.2113 2009-11-05 2.03 Virus.Win32.Virut.2
VirusBuster 4.5.11.10 10.113.8/2002554 2009-11-05 2.71 Worm.RBot.AEKD



VirSCAN.org Scanned Report :
Scanned time : 2009/11/06 23:36:09 (CST)
Scanner results: 97% Scanner(s) (36/37) found malware!
File Name : userinit.exe
File Size : 31744 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e20be4bf49f46250d03667636cb56999
SHA1 : 992ae1115873750a06d8c62e582dd0764d765350
Online report : http://virscan.org/report/4f4ee151ff974910...39802998d8.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091106050124 2009-11-06 5.52 Virus.Win32.Virut.av!IK
AhnLab V3 2009.11.06.04 2009.11.06 2009-11-06 0.98 Win32/Virut.B
AntiVir 8.2.1.59 7.1.6.201 2009-11-06 0.12 W32/Virut.AX
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911060304 2009-11-06 0.03 W32.Virut.Av
Authentium 5.1.1 200911061407 2009-11-06 1.18 W32/Virut.7116 (Possible)
AVAST! 4.7.4 091106-1 2009-11-06 0.01 Win32:Virtob
AVG 8.5.288 270.14.52/2484 2009-11-06 0.31 Win32/Virut
BitDefender 7.81008.4481961 7.28774 2009-11-06 3.92 Win32.Virtob.8.Gen
CA (VET) 35.1.0 7105 2009-11-04 10.64 Win32/Virut.7115 virus.
ClamAV 0.95.2 9995 2009-11-06 0.01 W32.Virut-54
Comodo 3.12 2860 2009-11-06 0.75 Virus.Win32.Virut.AV
CP Secure 1.3.0.5 2009.11.06 2009-11-06 0.04 W32.Virut.av
Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.49 Win32.Virut.30
F-Prot 4.4.4.56 20091106 2009-11-06 1.19 W32/Virut.7116
F-Secure 7.02.73807 2009.11.06.10 2009-11-06 9.39 Virus.Win32.Virut.av [AVP]
Fortinet 2.81-3.120 11.28 2009-11-06 0.24 W32/Virut.AV
GData 19.8743/19.541 20091106 2009-11-06 6.53 Virus.Win32.Virut.av [Engine:A]
ViRobot 20091106 2009.11.06 2009-11-06 0.43 Win32.Virut.S
Ikarus T3.1.01.74 2009.11.06.74464 2009-11-06 4.04 Virus.Win32.Virut.av
JiangMin 11.0.800 2009.11.06 2009-11-06 4.40 Win32/Virut.af
Kaspersky 5.5.10 2009.11.06 2009-11-06 0.07 Virus.Win32.Virut.av
KingSoft 2009.2.5.15 2009.11.6.13 2009-11-06 0.54 Win32.Virutab.ak.7680
McAfee 5.3.00 5793 2009-11-05 3.42 W32/Virut.gen.a
Microsoft 1.5202 2009.11.06 2009-11-06 6.98 Virus:Win32/Virut.AC
Norman 6.01.09 6.01.00 2009-11-06 4.01 W32/Virut.AG
Panda 9.05.01 2009.11.05 2009-11-05 1.84 W32/Virutas.FG
Trend Micro 8.700-1004 6.608.03 2009-11-06 0.02 PE_VIRUT.AV
Quick Heal 10.00 2009.11.06 2009-11-06 1.29 W32.Virut.Z
Rising 20.0 21.54.44.00 2009-11-06 0.99 Win32.Virut.an
Sophos 3.00.1 4.46 2009-11-06 2.93 W32/Virut-W
Sunbelt 5491 5491 2009-11-05 1.93 Virus.Win32.Virut.a (v)
Symantec 1.3.0.24 20091105.003 2009-11-05 0.09 W32.Virut.W
nProtect 20091106.02 6111738 2009-11-06 8.08 Virus/W32.Virut.K
The Hacker 6.5.0.2 v00062 2009-11-05 0.71 W32/Virut.av
VBA32 3.12.10.11 20091105.2113 2009-11-05 1.98 Virus.Win32.Virut.2
VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.42 Win32.Virut.Gen.4


VirSCAN.org Scanned Report :
Scanned time : 2009/11/06 23:39:39 (CST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
Online report : http://virscan.org/report/c7759e8277a1441f...39d327486f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091106050124 2009-11-06 4.66 -
AhnLab V3 2009.11.06.04 2009.11.06 2009-11-06 1.15 -
AntiVir 8.2.1.59 7.1.6.201 2009-11-06 0.50 -
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911060304 2009-11-06 0.04 -
Authentium 5.1.1 200911061407 2009-11-06 1.31 -
AVAST! 4.7.4 091106-1 2009-11-06 0.00 -
AVG 8.5.288 270.14.52/2484 2009-11-06 0.39 -
BitDefender 7.81008.4481961 7.28774 2009-11-06 4.33 -
CA (VET) 35.1.0 7105 2009-11-04 3.46 -
ClamAV 0.95.2 9995 2009-11-06 0.01 -
Comodo 3.12 2860 2009-11-06 0.74 -
CP Secure 1.3.0.5 2009.11.06 2009-11-06 0.04 -
Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.47 -
F-Prot 4.4.4.56 20091106 2009-11-06 1.20 -
F-Secure 7.02.73807 2009.11.06.10 2009-11-06 0.10 -
Fortinet 2.81-3.120 11.28 2009-11-06 0.25 -
GData 19.8743/19.541 20091106 2009-11-06 6.21 -
ViRobot 20091106 2009.11.06 2009-11-06 0.43 -
Ikarus T3.1.01.74 2009.11.06.74464 2009-11-06 3.99 -
JiangMin 11.0.800 2009.11.06 2009-11-06 13.41 -
Kaspersky 5.5.10 2009.11.06 2009-11-06 0.07 -
KingSoft 2009.2.5.15 2009.11.6.13 2009-11-06 0.58 -
McAfee 5.3.00 5793 2009-11-05 3.39 -
Microsoft 1.5202 2009.11.06 2009-11-06 10.37 -
Norman 6.01.09 6.01.00 2009-11-06 4.00 -
Panda 9.05.01 2009.11.05 2009-11-05 3.65 -
Trend Micro 8.700-1004 6.608.03 2009-11-06 0.03 -
Quick Heal 10.00 2009.11.06 2009-11-06 2.21 -
Rising 20.0 21.54.44.00 2009-11-06 1.98 -
Sophos 3.00.1 4.46 2009-11-06 3.06 -
Sunbelt 5491 5491 2009-11-05 4.24 -
Symantec 1.3.0.24 20091105.003 2009-11-05 1.47 -
nProtect 20091106.02 6111738 2009-11-06 16.06 -
The Hacker 6.5.0.2 v00062 2009-11-05 1.23 -
VBA32 3.12.10.11 20091105.2113 2009-11-05 1.99 -
VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.45 -


VirSCAN.org Scanned Report :
Scanned time : 2009/11/06 23:47:15 (CST)
Scanner results: 97% Scanner(s) (36/37) found malware!
File Name : explorer.exe
File Size : 1039360 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a482dcbdad2713c5cc61a0b05dc774e7
SHA1 : 97244f469462ad26b9b95433a5c6185569f34205
Online report : http://virscan.org/report/fc85796079d45ca0...9f6f1beff6.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091106050124 2009-11-06 4.06 Virus.Win32.Virut.q!IK
AhnLab V3 2009.11.06.04 2009.11.06 2009-11-06 0.91 Win32/Virut.B
AntiVir 8.2.1.59 7.1.6.201 2009-11-06 0.26 W32/Virut.AX
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911060304 2009-11-06 0.04 W32.Virut.Av
Authentium 5.1.1 200911061407 2009-11-06 1.21 W32/Virut.7116 (Possible)
AVAST! 4.7.4 091106-1 2009-11-06 0.05 Win32:Virtob
AVG 8.5.288 270.14.52/2484 2009-11-06 0.31 Win32/Virut
BitDefender 7.81008.4481961 7.28774 2009-11-06 3.90 Win32.Virtob.8.Gen
CA (VET) 35.1.0 7105 2009-11-04 8.66 Win32/Virut.7115 virus.
ClamAV 0.95.2 9995 2009-11-06 0.15 W32.Virut-54
Comodo 3.12 2860 2009-11-06 0.74 Virus.Win32.Virut.AV
CP Secure 1.3.0.5 2009.11.06 2009-11-06 0.11 W32.Virut.av
Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.59 Win32.Virut.30
F-Prot 4.4.4.56 20091106 2009-11-06 1.21 W32/Virut.7116
F-Secure 7.02.73807 2009.11.06.10 2009-11-06 0.12 Virus.Win32.Virut.av [AVP]
Fortinet 2.81-3.120 11.28 2009-11-06 0.26 W32/Virut.AV
GData 19.8743/19.541 20091106 2009-11-06 7.44 Virus.Win32.Virut.av [Engine:A]
ViRobot 20091106 2009.11.06 2009-11-06 0.42 Win32.Virut.S
Ikarus T3.1.01.74 2009.11.06.74464 2009-11-06 4.02 Virus.Win32.Virut.q
JiangMin 11.0.800 2009.11.06 2009-11-06 5.73 Win32/Virut.af
Kaspersky 5.5.10 2009.11.06 2009-11-06 0.07 Virus.Win32.Virut.av
KingSoft 2009.2.5.15 2009.11.6.22 2009-11-06 0.50 Win32.Virutab.ak.7680
McAfee 5.3.00 5793 2009-11-05 3.56 W32/Virut.gen.a
Microsoft 1.5202 2009.11.06 2009-11-06 7.90 Virus:Win32/Virut.AC
Norman 6.01.09 6.01.00 2009-11-06 4.01 W32/Virut.CT
Panda 9.05.01 2009.11.05 2009-11-05 2.02 W32/Virutas.FG
Trend Micro 8.700-1004 6.608.03 2009-11-06 0.02 PE_VIRUT.AV
Quick Heal 10.00 2009.11.06 2009-11-06 1.23 W32.Virut.Z
Rising 20.0 21.54.44.00 2009-11-06 1.26 Win32.Virut.an
Sophos 3.00.1 4.46 2009-11-06 2.92 W32/Virut-W
Sunbelt 5491 5491 2009-11-05 1.69 Virus.Win32.Virut.a (v)
Symantec 1.3.0.24 20091105.003 2009-11-05 0.07 W32.Virut.W
nProtect 20091106.02 6111738 2009-11-06 7.80 Virus/W32.Virut.K
The Hacker 6.5.0.2 v00062 2009-11-05 0.90 W32/Virut.av
VBA32 3.12.10.11 20091105.2113 2009-11-05 1.98 Virus.Win32.Virut.2
VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 3.28 Win32.Virut.Gen.4


VirSCAN.org Scanned Report :
Scanned time : 2009/11/06 23:52:48 (CST)
Scanner results: 97% Scanner(s) (36/37) found malware!
File Name : ctfmon.exe
File Size : 22528 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 26d5e5b22912f9976d382ed7b9e7315d
SHA1 : a3e08e9af88be0f40f731b940677717d046a8dd7
Online report : http://virscan.org/report/0a39ccdc43d86a0a...8e642da9cd.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091106050124 2009-11-06 14.61 Virus.Win32.Virut.av!IK
AhnLab V3 2009.11.06.04 2009.11.06 2009-11-06 2.02 Win32/Virut.B
AntiVir 8.2.1.59 7.1.6.201 2009-11-06 0.37 W32/Virut.AX
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911060304 2009-11-06 0.03 W32.Virut.Av
Authentium 5.1.1 200911061407 2009-11-06 1.24 W32/Virut.7116 (Possible)
AVAST! 4.7.4 091106-1 2009-11-06 0.00 Win32:Virtob
AVG 8.5.288 270.14.52/2484 2009-11-06 0.32 Win32/Virut
BitDefender 7.81008.4481961 7.28774 2009-11-06 3.88 Win32.Virtob.8.Gen
CA (VET) 35.1.0 7106 2009-11-05 10.67 Win32/Virut.7115 virus.
ClamAV 0.95.2 9995 2009-11-06 0.01 W32.Virut-54
Comodo 3.12 2860 2009-11-06 0.87 Virus.Win32.Virut.AV
CP Secure 1.3.0.5 2009.11.06 2009-11-06 0.04 W32.Virut.av
Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.55 Win32.Virut.30
F-Prot 4.4.4.56 20091106 2009-11-06 1.18 W32/Virut.7116
F-Secure 7.02.73807 2009.11.06.10 2009-11-06 0.11 Virus.Win32.Virut.av [AVP]
Fortinet 2.81-3.120 11.28 2009-11-06 0.35 W32/Virut.AV
GData 19.8743/19.541 20091106 2009-11-06 11.82 Virus.Win32.Virut.av [Engine:A]
ViRobot 20091106 2009.11.06 2009-11-06 0.91 Win32.Virut.S
Ikarus T3.1.01.74 2009.11.06.74464 2009-11-06 4.00 Virus.Win32.Virut.av
JiangMin 11.0.800 2009.11.06 2009-11-06 20.34 Win32/Virut.af
Kaspersky 5.5.10 2009.11.06 2009-11-06 0.07 Virus.Win32.Virut.av
KingSoft 2009.2.5.15 2009.11.6.22 2009-11-06 0.53 Win32.Virutab.ak.7680
McAfee 5.3.00 5793 2009-11-05 3.51 W32/Virut.gen.a
Microsoft 1.5202 2009.11.06 2009-11-06 12.38 Virus:Win32/Virut.AC
Norman 6.01.09 6.01.00 2009-11-06 4.01 W32/Virut.AG
Panda 9.05.01 2009.11.05 2009-11-05 4.29 W32/Virutas.FG
Trend Micro 8.700-1004 6.608.03 2009-11-06 0.02 PE_VIRUT.AV
Quick Heal 10.00 2009.11.06 2009-11-06 1.57 W32.Virut.Z
Rising 20.0 21.54.44.00 2009-11-06 1.51 Win32.Virut.an
Sophos 3.00.1 4.46 2009-11-06 3.36 W32/Virut-W
Sunbelt 5491 5491 2009-11-05 1.81 Virus.Win32.Virut.a (v)
Symantec 1.3.0.24 20091105.003 2009-11-05 0.06 W32.Virut.W
nProtect 20091106.02 6111738 2009-11-06 9.25 Virus/W32.Virut.K
The Hacker 6.5.0.2 v00062 2009-11-05 1.00 W32/Virut.av
VBA32 3.12.10.11 20091105.2113 2009-11-05 1.97 Virus.Win32.Virut.2
VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.40 Win32.Virut.Gen.4


VirSCAN.org Scanned Report :
Scanned time : 2009/11/06 23:56:55 (CST)
Scanner results: Scanners did not find malware!
File Name : spoolsv.exe
File Size : 57856 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7435b108b935e42ea92ca94f59c8e717
SHA1 : c0c79c39a7f4d4e491bff70810439c1aae3e5006
Online report : http://virscan.org/report/8163532222ebf4ee...81dce1d3dc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091106050124 2009-11-06 3.90 -
AhnLab V3 2009.11.06.04 2009.11.06 2009-11-06 1.35 -
AntiVir 8.2.1.59 7.1.6.201 2009-11-06 0.15 -
Antiy 2.0.18 20091105.3216324 2009-11-05 0.02 -
Arcavir 2009 200911060304 2009-11-06 0.04 -
Authentium 5.1.1 200911061407 2009-11-06 1.35 -
AVAST! 4.7.4 091106-1 2009-11-06 0.01 -
AVG 8.5.288 270.14.52/2484 2009-11-06 0.35 -
BitDefender 7.81008.4481961 7.28774 2009-11-06 3.91 -
CA (VET) 35.1.0 7106 2009-11-05 7.89 -
ClamAV 0.95.2 9995 2009-11-06 0.02 -
Comodo 3.12 2860 2009-11-06 0.69 -
CP Secure 1.3.0.5 2009.11.06 2009-11-06 0.05 -
Dr.Web 4.44.0.9170 2009.11.06 2009-11-06 6.46 -
F-Prot 4.4.4.56 20091106 2009-11-06 1.29 -
F-Secure 7.02.73807 2009.11.06.10 2009-11-06 0.10 -
Fortinet 2.81-3.120 11.28 2009-11-06 0.29 -
GData 19.8743/19.541 20091106 2009-11-06 4.47 -
ViRobot 20091106 2009.11.06 2009-11-06 0.46 -
Ikarus T3.1.01.74 2009.11.06.74464 2009-11-06 3.98 -
JiangMin 11.0.800 2009.11.06 2009-11-06 4.20 -
Kaspersky 5.5.10 2009.11.06 2009-11-06 0.06 -
KingSoft 2009.2.5.15 2009.11.6.22 2009-11-06 0.64 -
McAfee 5.3.00 5793 2009-11-05 3.40 -
Microsoft 1.5202 2009.11.06 2009-11-06 6.46 -
Norman 6.01.09 6.01.00 2009-11-06 4.01 -
Panda 9.05.01 2009.11.05 2009-11-05 2.40 -
Trend Micro 8.700-1004 6.608.03 2009-11-06 0.03 -
Quick Heal 10.00 2009.11.06 2009-11-06 1.59 -
Rising 20.0 21.54.44.00 2009-11-06 1.05 -
Sophos 3.00.1 4.46 2009-11-06 2.92 -
Sunbelt 5491 5491 2009-11-05 1.70 -
Symantec 1.3.0.24 20091105.003 2009-11-05 0.23 -
nProtect 20091106.02 6111738 2009-11-06 7.77 -
The Hacker 6.5.0.2 v00062 2009-11-05 0.75 -
VBA32 3.12.10.11 20091105.2113 2009-11-05 2.00 -
VirusBuster 4.5.11.10 10.113.9/2003541 2009-11-06 2.44 -

Hi Rhineus,

Those results would definately explain what happened to our tools.

Bad news I'm afraid. You are infected with a file infector called Virut.

This infection can and will infect all the machine's executable files .exe, .scr plus .html and .htm. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Recent variants also modify asp and php files.

More information can be found here and here and
here.

A [B]Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .hlm, .html files.

• Backup all your documents and important items only.
  data/documents/pictures/movies/songs/etc..
• DO NOT backup any executable files (,exe .scr .html or .htm)
• Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
• Reformat and Reinstall as outlined HERE

A CD would be best, but a blank USB device will work. Make sure there aren't any executable on it.

If you are going to use a USB device, I suggest you use a freshly formated one. After formatting it, use FDD on it before attaching it to the infected computer.

Be further advised that these infections may have backdoor capabilities.

I suggest you do the following immediately:

• Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Feel free to ask any questions, but keep in mind a Reformat is the only way to clean this computer.

O' man, ok, maybe even infected my external hard drive too... That's where I keep my portable programs, like 30 or 40 programs. So, video, pdf files, txt, rtf, image files or songs aren't infected?

This post has been edited by Rhineus: Nov 6 2009, 11:38 PM

Hi

It's possible that your external HD is also infected. You should scan it with Kaspersky. You probably won't be able to access Kaspersky while infected. I suggest before you reformat use FDD (if it will run) on your external drive. Once you have reinstalled, go to Kaspersky and scan your entire computer (all Drives). Depending on how much you have on it, it may take some time. Do not reinstall any files from it until you are 100% sure it's clean.

If Virut did make it to your external drive, then the programs are most likely infected.


Download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Link to Kaspersky Kaspersky

As far as I know these are ok. However this infection is getting "improved" all the time. I would suggest scanning any of these types of files you intend on restoring with Kaspersky online. It has a very good detection rate for Virut.

If you want to try Kaspersky, you may get lucky and be able to do a scan. It won't remove anything, but you would at least have an idea about your external drive.